https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301439#M56964 <P>Run btool command on your heavy forwarder to see status and configuration of your internal logs.</P> <PRE><CODE>/opt/splunk/bin/splunk btool inputs list --debug </CODE></PRE> Fri, 07 Jul 2017 16:15:49 GMT somesoni2 2017-07-07T16:15:49Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301438#M56963 <P>I'm seeing some curious behavior our of two of my heavy forwarders. They aren't reporting data into _internal, but I am seeing app data from things I have installed on them. I checked out the logs on the heavy forwarders and the only errors I see are something about a django secret key missing "The SECRET_KEY setting must not be empty " in the web_service.log</P> <P>Any idea what would cause this behavior? </P> Tue, 29 Sep 2020 14:48:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301438#M56963 rfitch 2020-09-29T14:48:39Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301439#M56964 <P>Run btool command on your heavy forwarder to see status and configuration of your internal logs.</P> <PRE><CODE>/opt/splunk/bin/splunk btool inputs list --debug </CODE></PRE> Fri, 07 Jul 2017 16:15:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301439#M56964 somesoni2 2017-07-07T16:15:49Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301440#M56965 <P>wild guess, check how much available disk you have on the drive the HF is installed on</P> Fri, 07 Jul 2017 18:34:21 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301440#M56965 adonio 2017-07-07T18:34:21Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301441#M56966 <P>If I understand correctly, the forwarder is sending data, but not from select indexes (in this case <CODE>_internal</CODE>). That typically means the forwarder is doing it's default behavior and still needs to be configured for sending the <CODE>_*</CODE> data to the indexers.</P> <P>The documentation at <A href="https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata">Best practice: Forward search head data to the indexer layer</A> captures the best way to set this up. As with other global config, you'll want your Deployment Server to distribute this configuration to all your endpoints that forward data (not indexers).</P> Mon, 10 Jul 2017 12:14:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301441#M56966 sloshburch 2017-07-10T12:14:25Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301442#M56967 <P>Splunk Heavy forwarder will not forward the _internal data by its own. We can add the below to make this forwarding to indexers.</P> <P>[tcpout]<BR /> forwardedindex.3.whitelist = (_internal)</P> <P>If you have two or more index, please mention this with pipe.<BR /> forwardedindex.3.whitelist = (_internal|_audit)</P> Wed, 30 Sep 2020 00:42:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-data-from-a-heavy-forwarder-but-nothing-in/m-p/301442#M56967 saravanan90 2020-09-30T00:42:16Z