I have one forwarder that is working for 6+ sources. I created two sources today and no data is showing up.
If I do this search:
source="/usr/local/exist/latest/webapp/WEB-INF/logs/scheduler.log" host="vmweb3"`
for all time, or this one:
source="/usr/local/exist/latest/webapp/WEB-INF/logs/exist.log" host="vmweb3"
for all time, I don't see any events showing up. I can search for other events from the same forwarder and that data does display and is current.
From the Universal Forwarder Splunk account, I can cat the files so I know that Splunk can read the files.
I have set the source type to auto detect.
For the scheduler, a few records look like:
2016-07-11 11:58:27,547 [DefaultQuartzScheduler_Worker-3] DEBUG (SystemTaskManager.java [runSystemTask]:86) - Running system maintenance task: org.exist.storage.sync.SyncTask
2016-07-11 11:58:27,549 [DefaultQuartzScheduler_Worker-3] DEBUG (SystemTaskManager.java [runSystemTask]:89) - System task completed.
2016-07-11 11:58:30,047 [DefaultQuartzScheduler_Worker-4] DEBUG (SystemTaskManager.java [runSystemTask]:86) - Running system maintenance task: org.exist.storage.sync.SyncTask
2016-07-11 11:58:30,049 [DefaultQuartzScheduler_Worker-4] DEBUG (SystemTaskManager.java [runSystemTask]:89) - System task completed.
For the exist.log file, here are a few (but this is a log file that can contain stacktraces).
2016-07-11 11:55:52,372 [eXistThread-172] INFO (NativeBroker.java [removeXMLResource]:2705) - Removing document august-8-newyorkcity.xml (30217) ...
2016-07-11 11:57:52,564 [DefaultQuartzScheduler_Worker-4] INFO (NativeBroker.java [sync]:3669) - Memory: 1,454,592K total; 1,454,592K max; 490,528K free
I have verified that when I created the input in Splunk for these files, I used the default index.
A scan of the splunkd.log file on the UF does not show anything different.
Any help you can provide for next steps diagnosing this would be much appreciated.
Thanks
Eric
↧
How to troubleshoot why I am not receiving data for two sources I created on a universal forwarder?
↧
