https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116764#M24348 <P>Installed universal forwarder in windows. Checked the splunkd log and I could see the connection to server without any error as below. tried checking with firewall and ports.But still index doesnt log any events. </P> <P>TcpOutputProc - Connected to idx=xxxx:9997.</P> <P>Below are my conf file.</P> <PRE><CODE>inputs.conf [default] host = xxxxx [monitor:C:\opt\splunk\] disabled = false sourcetype = hievents index = hiindex Outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = xxxx:9997 [tcpout-server://xxxx:9997] </CODE></PRE> <P>Please advice.</P> Tue, 24 Jun 2014 06:32:51 GMT skumarvs 2014-06-24T06:32:51Z https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116764#M24348 <P>Installed universal forwarder in windows. Checked the splunkd log and I could see the connection to server without any error as below. tried checking with firewall and ports.But still index doesnt log any events. </P> <P>TcpOutputProc - Connected to idx=xxxx:9997.</P> <P>Below are my conf file.</P> <PRE><CODE>inputs.conf [default] host = xxxxx [monitor:C:\opt\splunk\] disabled = false sourcetype = hievents index = hiindex Outputs.conf [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = xxxx:9997 [tcpout-server://xxxx:9997] </CODE></PRE> <P>Please advice.</P> Tue, 24 Jun 2014 06:32:51 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116764#M24348 skumarvs 2014-06-24T06:32:51Z https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116765#M24349 <P>Hi skumarvs,</P> <P>here are some typical troubleshooting tips:</P> <UL> <LI>Do you search the correct time range - try all time?</LI> <LI>Do you search the correct index - try <CODE>index=hiindex</CODE>?</LI> <LI>Do you have permission to search this index?</LI> <LI>search <CODE>index=_internal source=*splunkd.log</CODE> on the indexer for any error related to the universal forwarder</LI> <LI>run a snoop/tcpdump to ensure there is something sent to the indexer, if the universal forwarder tells you it is connected that does not mean it sends data.</LI> </UL> <P>Last but not least do the usual troubleshooting around Splunk, is everything doing what it should do and so on.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 24 Jun 2014 06:53:03 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116765#M24349 MuS 2014-06-24T06:53:03Z https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116766#M24350 <P>Please check for monitor syntax: [monitor://<PATH>]</PATH></P> Tue, 24 Jun 2014 09:52:31 GMT https://community.splunk.com/t5/Getting-Data-In/splunk-not-receiving-data-from-windows-universal-forwarder/m-p/116766#M24350 ankireddy007 2014-06-24T09:52:31Z