topic Re: Splunk isn't logging any of my data in a new 8.0.2 install in Splunk Enterprise

Splunk isn't logging any of my data in a new 8.0.2 install

christopherryan — Mon, 08 Jun 2020 21:18:06 GMT

Hi Team,

I'm a very novice Spluker and have only really upgraded it once and installed it a couple times on our servers to update it. Right now I just installed a new Splunk instance on Server 2019 and am about to migrate our existing Splunk 2012 server over to it. I have already migrated just the warm buckets over to the new server in the cold location. I can search that data, and that's good.

The problem is that I'm sending test data over to the new Splunk 8.0.2 server and it's either not getting it or not indexing it. I followed Splunk 8.0.2's Can't Find My Data Doc https://docs.splunk.com/Documentation/Splunk/8.0.2/Troubleshooting/Cantfinddata and the Splunk instance is only one server, no forwarders, no separate servers, just everything in one server.

Troubleshooting I have done:

Everything I could understand and that
is applicable in Splunk 8.0.2's Can't Find My Data Doc
https://docs.splunk.com/Documentation/Splunk/8.0.2/Troubleshooting/Cantfinddata
I confirmed the Splunk service is
running on the server.
I can ping the server from the network
device, and I can ping the network
device from the server. There are no
Firewalls in place between the device and server and the Windows
Server 2019 FW is turned off.
I checked the Windows File structure
in the actual VM and it hasn't created
a hot bucket yet, so if it's getting
the data, it's not
I also installed a Kiwi Syslog server
on my desktop and put my IP in the
network device and sure enough it's
sending data.

I'm not really sure what else to try, so any help or things to check would be appreciated.

Thanks Splunk Answers!

-Chris

Re: Splunk isn't logging any of my data in a new 8.0.2 install

PavelP — Wed, 08 Apr 2020 08:14:30 GMT

Hi Chris,

if I understand all correctly you have a syslog server (kiwi) and a splunk server and you sending syslog data to the splunk server using UDP/TCP to the default port 514.

have you enabled and configured a syslog input port on the splunk server? It should accept the same protocol (TCP/UDP) and be on the same port (514). It is NOT a splunk receiver port.
the procedure is different if you're using splunk universal forwarder instead of syslog
can you check that the date is coming in using Wireshark?
can you check both Kiwi Log and $SPLUNK_HOME/var/log/splunk/splunkd.log ?

Re: Splunk isn't logging any of my data in a new 8.0.2 install

christopherryan — Wed, 08 Apr 2020 14:51:45 GMT

Thank you, Thank you, Thank you PavelP!!!

I did a total facepalm once I realized Splunk didn't listen on any port by default. Once I added that information I instantly started getting the logs I was expecting.

Thank you for kindly pointing me in the right direction 🙂