https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/196000#M38975 <P>Ok,I see this error in the log files </P> <P>and thats the source ip address. <BR /> Which is up and running and have the source files.<BR /> Able to resolve the IP.<BR /> Also tried using the fQDN in the inputs.conf instead of the ip no luck.</P> <P>08-14-2015 11:32:59.636 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7<BR /> 08-14-2015 11:32:59.636 -0700 WARN TcpInputProc - Could not find matching host.<BR /> 08-14-2015 11:33:11.126 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7<BR /> 08-14-2015 11:33:11.126 -0700 WARN TcpInputProc - Could not find matching host.</P> <P>How do I identify if Splunk is not able to get connect and fetch the data or is it something else.</P> Fri, 28 Aug 2015 08:17:17 GMT athorat 2015-08-28T08:17:17Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195991#M38966 <P>We are trying to Index data from syslog and have the following configuration in the inputs.conf on the forwarder.</P> <PRE><CODE>[tcp://IP:10514] index = NWK disabled = 0 #followTail = 0 sourcetype = NW:PROD:SYSLOG </CODE></PRE> <P>From the search head, when we use <CODE>index=NWK</CODE>, it does not show any data.<BR /> What can be checked to see where the connection is breaking?</P> <P>Thanks,<BR /> Anil.</P> Thu, 27 Aug 2015 19:11:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195991#M38966 athorat 2015-08-27T19:11:43Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195992#M38967 <P>Is that the only data source in the forwarder? <BR /> If not, are the other working ok? <BR /> If it is what's your outputs.conf like?</P> Thu, 27 Aug 2015 20:46:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195992#M38967 diogofgm 2015-08-27T20:46:28Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195993#M38968 <P>No there are multiple data sources which are working using this forwarder.<BR /> outputs.conf contains server = Servernanme:9997 and some other config (is there anything which I should be looking here)</P> Thu, 27 Aug 2015 21:06:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195993#M38968 athorat 2015-08-27T21:06:26Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195994#M38969 <P>If the others sources are ok I would look at the origin of the data. Or any connection between the forwarder and the IP:10514</P> Thu, 27 Aug 2015 21:09:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195994#M38969 diogofgm 2015-08-27T21:09:25Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195995#M38970 <P>Yes makes sense, though what do we look at on the origin of Data. <BR /> Can you shed some light on it.</P> Thu, 27 Aug 2015 21:16:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195995#M38970 athorat 2015-08-27T21:16:38Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195996#M38971 <P>Is the syslog data being generated from the same host thats running the forwarder?<BR /> If it is I would suggest setting it up like this and testing.</P> <P>[tcp://:10514]<BR /> connection_host = none<BR /> index=NWK<BR /> sourcetype = NW:PROD:SYSLOG</P> Thu, 27 Aug 2015 23:08:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195996#M38971 cramasta 2015-08-27T23:08:35Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195997#M38972 <P>Its coming from a different server not from the heavy forwarder.</P> Thu, 27 Aug 2015 23:35:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195997#M38972 athorat 2015-08-27T23:35:17Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195998#M38973 <P>On the forwarder, take a look at</P> <PRE><CODE>SPLUNK_HOME/var/log/splunk/splunkd.log </CODE></PRE> <P>This will show you if there are any error messages regarding the inputs.conf, outputs.conf etc.<BR /> Connection failures usually appear here.</P> <P>Also, is there an index named NWK on the indexer? </P> Fri, 28 Aug 2015 00:19:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195998#M38973 lguinn2 2015-08-28T00:19:54Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195999#M38974 <P>Yes there is a index named NWK on the indexer<BR /> And also it shows up in inex=NWK which is coming from some remote_searches.log file.<BR /> I will check from the log file in the mean time.<BR /> Thanks.</P> Fri, 28 Aug 2015 00:22:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/195999#M38974 athorat 2015-08-28T00:22:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/196000#M38975 <P>Ok,I see this error in the log files </P> <P>and thats the source ip address. <BR /> Which is up and running and have the source files.<BR /> Able to resolve the IP.<BR /> Also tried using the fQDN in the inputs.conf instead of the ip no luck.</P> <P>08-14-2015 11:32:59.636 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7<BR /> 08-14-2015 11:32:59.636 -0700 WARN TcpInputProc - Could not find matching host.<BR /> 08-14-2015 11:33:11.126 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7<BR /> 08-14-2015 11:33:11.126 -0700 WARN TcpInputProc - Could not find matching host.</P> <P>How do I identify if Splunk is not able to get connect and fetch the data or is it something else.</P> Fri, 28 Aug 2015 08:17:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/196000#M38975 athorat 2015-08-28T08:17:17Z https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/196001#M38976 <P>Is the source sending data to port 10514?<BR /> I had some issues before on network devices because some devices didn't allow me the change the port for syslog from514 and if I was are running splunk with other user than root I couldnt create inputs for port 514</P> Fri, 28 Aug 2015 12:06:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-syslog-data-not-getting-indexed-with-my-current-inputs/m-p/196001#M38976 diogofgm 2015-08-28T12:06:24Z