Troubleshoot the input process

Troubleshoot the input process

Not finding the events you're looking for?

When you add an input to Splunk, that input gets added relative to the app you're in. Some apps, like the *nix and Windows apps, write input data to a specific index (in the case of *nix and Windows, that is the 'os' index). If you're not finding data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the 'os' index to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in the Admin manual.

Note: When you add inputs by editing inputs.conf, Splunk may not immediately recognize them. Splunk looks for inputs every 24 hours, starting from the time it was last restarted. This means that if you add a new stanza to monitor a directory or file, it could take up to 24 hours for Splunk to start indexing the contents of that directory or file. To ensure that your input is immediately recognized and indexed, add the input through Splunk Web or by using the add command in the CLI.

Troubleshoot your tailed files

You can use the FileStatus REST endpoint to get the status of your tailed files. For example:

https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Troubleshoot monitor inputs

For a variety of information on dealing with monitor input issues, see this article in the Community Wiki: Troubleshooting Monitor Inputs.

Can't find data coming from a forwarder?

Make sure the forwarder is functioning properly and is visible to the indexer. You can use the Deployment Monitor app to troubleshoot Splunk topologies and get to the root of any forwarder issues. See "About the deployment monitor" for details.

• Was this topic useful?
• Post a comment