<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Indexer not indexing forwarded data in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302110#M57065</link>
    <description>&lt;P&gt;I have an forwarder that's set up to monitor a log file at the location: /var/log/mhn/mhn-splunk.log.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;inputs.conf on forwarder:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[monitor:///var/log/mhn/mhn-splunk.log]&lt;BR /&gt;
sourcetype = mhn&lt;BR /&gt;
index = mhn&lt;BR /&gt;
disabled = false&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;outputs.conf on forwarder:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[tcpout]&lt;BR /&gt;
defaultGroup = default-autolb-group&lt;/P&gt;

&lt;P&gt;[tcpout:default-autolb-group]&lt;BR /&gt;
server = Dest IP:9997&lt;/P&gt;

&lt;P&gt;[tcpout-server://Dest IP:9997]&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;On the forwarder&lt;/STRONG&gt;&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;P&gt;I have verified connection using netstat&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8089            0.0.0.0:&lt;/EM&gt;               LISTEN      5600/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 Source IP:48652    Dest IP:9997     ESTABLISHED 5600/splunkd&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Checked splunkd.log&lt;BR /&gt;
&lt;EM&gt;02-22-2018 02:04:04.790 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;BR /&gt;
02-22-2018 02:27:07.846 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;BR /&gt;
02-22-2018 02:29:03.860 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;&lt;STRONG&gt;On the indexer:&lt;/STRONG&gt;&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;P&gt;I have verified the index, mhn, exists and is enabled.&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Listener is setup on the right port&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:9997            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8089            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8000            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 Dest IP:9997      Source IP:48652    ESTABLISHED 31490/splunkd&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;metrics.log is showing as receiving the events from the forwarder&lt;BR /&gt;
&lt;EM&gt;02-21-2018 23:40:19.593 -0800 INFO  Metrics - group=tcpin_connections, Source IP:48652:9997, connectionType=cooked, sourcePort=48652, sourceHost=Source IP, sourceIp=Source IP, destPort=9997, kb=7.95, _tcp_Bps=262.59, _tcp_KBps=0.26, _tcp_avg_thruput=0.52, _tcp_Kprocessed=346.17, _tcp_eps=0.19, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.23, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=03bbabbd5c0f, version=7.0.2, os=Linux, arch=x86_64, hostname=ubuntu, guid=BEB9358D-17D6-4C65-B408-99DF4C038DFA, fwdType=uf, ssl=false, lastIndexer=Dest IP:9997, ack=false&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Can't quite figure out why I'm not seeing the events in index=mhn. I was hoping the Splunk community might be able to tell me if there was anything I was missing.&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 18:09:17 GMT</pubDate>
    <dc:creator>gauravnj1</dc:creator>
    <dc:date>2020-09-29T18:09:17Z</dc:date>
    <item>
      <title>Indexer not indexing forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302110#M57065</link>
      <description>&lt;P&gt;I have an forwarder that's set up to monitor a log file at the location: /var/log/mhn/mhn-splunk.log.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;inputs.conf on forwarder:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[monitor:///var/log/mhn/mhn-splunk.log]&lt;BR /&gt;
sourcetype = mhn&lt;BR /&gt;
index = mhn&lt;BR /&gt;
disabled = false&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;outputs.conf on forwarder:&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;[tcpout]&lt;BR /&gt;
defaultGroup = default-autolb-group&lt;/P&gt;

&lt;P&gt;[tcpout:default-autolb-group]&lt;BR /&gt;
server = Dest IP:9997&lt;/P&gt;

&lt;P&gt;[tcpout-server://Dest IP:9997]&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;On the forwarder&lt;/STRONG&gt;&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;P&gt;I have verified connection using netstat&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8089            0.0.0.0:&lt;/EM&gt;               LISTEN      5600/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 Source IP:48652    Dest IP:9997     ESTABLISHED 5600/splunkd&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Checked splunkd.log&lt;BR /&gt;
&lt;EM&gt;02-22-2018 02:04:04.790 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;BR /&gt;
02-22-2018 02:27:07.846 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;BR /&gt;
02-22-2018 02:29:03.860 -0500 INFO  TcpOutputProc - Connected to idx=Dest IP:9997, pset=0, reuse=0.&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;&lt;STRONG&gt;On the indexer:&lt;/STRONG&gt;&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;&lt;P&gt;I have verified the index, mhn, exists and is enabled.&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;Listener is setup on the right port&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:9997            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8089            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 0.0.0.0:8000            0.0.0.0:&lt;/EM&gt;               LISTEN      31490/splunkd*&lt;BR /&gt;
&lt;EM&gt;tcp        0      0 Dest IP:9997      Source IP:48652    ESTABLISHED 31490/splunkd&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;P&gt;metrics.log is showing as receiving the events from the forwarder&lt;BR /&gt;
&lt;EM&gt;02-21-2018 23:40:19.593 -0800 INFO  Metrics - group=tcpin_connections, Source IP:48652:9997, connectionType=cooked, sourcePort=48652, sourceHost=Source IP, sourceIp=Source IP, destPort=9997, kb=7.95, _tcp_Bps=262.59, _tcp_KBps=0.26, _tcp_avg_thruput=0.52, _tcp_Kprocessed=346.17, _tcp_eps=0.19, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.23, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=03bbabbd5c0f, version=7.0.2, os=Linux, arch=x86_64, hostname=ubuntu, guid=BEB9358D-17D6-4C65-B408-99DF4C038DFA, fwdType=uf, ssl=false, lastIndexer=Dest IP:9997, ack=false&lt;/EM&gt;&lt;/P&gt;&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Can't quite figure out why I'm not seeing the events in index=mhn. I was hoping the Splunk community might be able to tell me if there was anything I was missing.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 18:09:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302110#M57065</guid>
      <dc:creator>gauravnj1</dc:creator>
      <dc:date>2020-09-29T18:09:17Z</dc:date>
    </item>
    <item>
      <title>Re: Indexer not indexing forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302111#M57066</link>
      <description>&lt;P&gt;Just in case timestamps are not being parsed correctly, try searching &lt;CODE&gt;index=mhn&lt;/CODE&gt; over All Time.&lt;/P&gt;</description>
      <pubDate>Thu, 22 Feb 2018 14:12:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302111#M57066</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2018-02-22T14:12:56Z</dc:date>
    </item>
    <item>
      <title>Re: Indexer not indexing forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302112#M57067</link>
      <description>&lt;P&gt;You should check the logs and see if your forwarder is sending over data. You can also check the forwarder logs&lt;/P&gt;

&lt;P&gt;Run this search &lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;index=_internal sourcetype=splunkd&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 22 Feb 2018 14:36:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302112#M57067</guid>
      <dc:creator>skoelpin</dc:creator>
      <dc:date>2018-02-22T14:36:56Z</dc:date>
    </item>
    <item>
      <title>Re: Indexer not indexing forwarded data</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302113#M57068</link>
      <description>&lt;P&gt;@richgalloway, you were right. There's something messed up with the timestamps. I'll write another question on how to untangle that mess. Thank you for pointing me in the right direction.&lt;/P&gt;</description>
      <pubDate>Sat, 24 Feb 2018 21:33:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Indexer-not-indexing-forwarded-data/m-p/302113#M57068</guid>
      <dc:creator>gauravnj1</dc:creator>
      <dc:date>2018-02-24T21:33:37Z</dc:date>
    </item>
  </channel>
</rss>

