topic Re: Universal Forwarder not sending data to indexer after successful connection in Getting Data In

Universal Forwarder not sending data to indexer after successful connection

RecoMark0 — Sat, 09 Jul 2016 00:39:40 GMT

Hello,
I have a setup that consists of a Search Head and 2 indexers in a cluster. I also use a self signed SSL certificate between the indexers and my universal forwarders.

For some reason, my UF is able to connect to the indexers, but no data is sent.
07-09-2016 00:21:15.670 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997

My test logs directly on the indexers were sent to the search head without issue.
running splunk list monitor on the UF lists all the logs I want to monitor
No errors in splunkd.log on the UF that I can see, just the usual warnings I get in my duplicate setup in another enviornment that IS working.
No errors in metrics.log on the UF either.
On the Indexer is this warning:

WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Jul 8 20:30:38 2016). Context: source::\\s$\Logs\service.log|host::|Service Logs|174315

What else can I test to pinpoint my issue?

Re: Universal Forwarder not sending data to indexer after successful connection

renjith_nair — Sat, 09 Jul 2016 02:54:04 GMT

It's possible that the timestamp recognition is not working as expected and the events are indexed with an old timestamp.
Have you tried setting the time range to 'all time' and see if there are any events from this forwarder?

Try | metadata type=hosts index=* to see if the host is connected

Also have a look at http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Re: Universal Forwarder not sending data to indexer after successful connection

woodcock — Sun, 10 Jul 2016 13:16:03 GMT

You have a linebreaking/merging problem or a timestamping problem (the former often causes the latter). We need to see a few sample log events and your inputs.conf and props.conf files.

Re: Universal Forwarder not sending data to indexer after successful connection

ddrillic — Sun, 10 Jul 2016 14:09:55 GMT

The "official" documentation to debug such a case at I can't find my data!

Re: Universal Forwarder not sending data to indexer after successful connection

RecoMark0 — Mon, 11 Jul 2016 15:06:59 GMT

Sigh, I forgot to add the index my inputs.conf was going to, to the admin role "indexes searched by default". Sorry for wasting everyone's time! Rookie mistake.

Re: Universal Forwarder not sending data to indexer after successful connection

ddrillic — Mon, 11 Jul 2016 15:16:41 GMT

It's all good - we all make all sorts of mistakes...