https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289387#M55227 <P>Next thing to check would be whether the index you have configured for each input on the forwarder are defined on the indexing tier. Otherwise you will see error messages in _internal that look like this: "received event for unconfigured/disabled/deleted index='[index_name]' with source='[source]' host='[hostname]' sourcetype='[sourcetype]' (n missing total)"</P> <P>You can also run this search to find out whether the indexer is receiving any data from the forwarder:<BR /> index=_internal sourcetype=splunkd group=per_host_thruput series=your_forwarder_host_here | timechart sum(kb) as totalkb by series limit=0</P> Tue, 29 Sep 2020 12:47:55 GMT s2_splunk 2020-09-29T12:47:55Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289381#M55221 <P>Hello</P> <P>I am running Splunk as not root user. my Splunk universal forwarder is not indexing data from all files. </P> <P>when i run Splunk list monitor, it is listing all my files that i have mentioned in input stanza, but it is not indexing those files. i have checked privileges for those files and as a non root user i can cat those files. </P> <P>can anyone help me?? </P> Tue, 07 Feb 2017 20:27:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289381#M55221 AzmathShaik 2017-02-07T20:27:33Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289382#M55222 <P>What do you get with this search:</P> <PRE><CODE>index=_* host=&lt;YourHost&gt; </CODE></PRE> <P>If nothing, then the problem is that your host is not sending to your indexers.</P> Tue, 07 Feb 2017 20:37:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289382#M55222 woodcock 2017-02-07T20:37:22Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289383#M55223 <P>Yup, second stop would be to check /opt/splunkforwarder/var/log/splunk/splunkd.log directly on the forwarder host for any hints as to what may be happening.</P> Tue, 07 Feb 2017 20:40:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289383#M55223 s2_splunk 2017-02-07T20:40:35Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289384#M55224 <P>it is giving me events with _internal index.</P> Tue, 07 Feb 2017 20:41:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289384#M55224 AzmathShaik 2017-02-07T20:41:35Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289385#M55225 <P>i have checked splunkd.log there are no errors </P> Tue, 07 Feb 2017 20:43:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289385#M55225 AzmathShaik 2017-02-07T20:43:18Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289386#M55226 <P>Check to make sure that the clock on the forwarder is correct and the TZ is accounted for in the TZ setting in <CODE>props.conf</CODE>. It may be that the events are being "sent to the future". To check this, search for "All Time".</P> <P>Also login to the server as the user that is running splunk and verify that you can read the file contents manually. If you have a permission problem manually, then this is the problem for Splunk, too.</P> Tue, 07 Feb 2017 21:21:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289386#M55226 woodcock 2017-02-07T21:21:30Z https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289387#M55227 <P>Next thing to check would be whether the index you have configured for each input on the forwarder are defined on the indexing tier. Otherwise you will see error messages in _internal that look like this: "received event for unconfigured/disabled/deleted index='[index_name]' with source='[source]' host='[hostname]' sourcetype='[sourcetype]' (n missing total)"</P> <P>You can also run this search to find out whether the indexer is receiving any data from the forwarder:<BR /> index=_internal sourcetype=splunkd group=per_host_thruput series=your_forwarder_host_here | timechart sum(kb) as totalkb by series limit=0</P> Tue, 29 Sep 2020 12:47:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-universal-forwarder-not-indexing-data-from-all-log/m-p/289387#M55227 s2_splunk 2020-09-29T12:47:55Z