topic Re: Forwarder not sending data to indexer in Getting Data In

Forwarder not sending data to indexer

722624 — Tue, 29 Sep 2020 15:34:12 GMT

Please check the splunkd.log

08-30-2017 21:03:32.004 -0400 INFO TcpOutputProc - Connected to idx=10.100.xxx.1:9997, pset=0, reuse=0.
08-30-2017 21:03:32.008 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/searchhistory.log'.
08-30-2017 21:03:32.009 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/splunkd_access.log'.
08-30-2017 21:03:32.011 -0400 INFO WatchedFile - Will begin reading at offset=57592 for file='/opt/splunkforwarder/var/log/splunk/audit.log'.
08-30-2017 21:03:32.013 -0400 INFO WatchedFile - Will begin reading at offset=969 for file='/opt/splunkforwarder/var/log/splunk/conf.log'.
08-30-2017 21:03:32.014 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/mongod.log'.
08-30-2017 21:03:32.016 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/license_usage.log'.
08-30-2017 21:03:32.017 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/license_usage_summary.log'.
08-30-2017 21:03:32.019 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/remote_searches.log'.
08-30-2017 21:03:32.020 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/scheduler.log'.
08-30-2017 21:03:32.022 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/splunkd_ui_access.log'.
08-30-2017 21:03:32.024 -0400 INFO WatchedFile - Will begin reading at offset=369 for file='/opt/splunkforwarder/var/log/splunk/splunkd_stderr.log'.
08-30-2017 21:03:32.025 -0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/splunkd_stdout.log'.
08-30-2017 21:03:32.102 -0400 INFO WatchedFile - Will begin reading at offset=20365668 for file='/opt/splunkforwarder/var/log/splunk/metrics.log'.
08-30-2017 21:14:07.561 -0400 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/scripts/rsda.txt'.
08-30-2017 21:29:06.640 -0400 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/scripts/rsda.txt'.

I need the file /opt/scripts/rsda.txt to be indexed , this is file is recreated every 15 mins....
but this is not coming to indexer
both UF and Indexer are in Linux, ping is working both ways....

I have searched , there are so many posts but none is addressing this problem..

Thank you
AB

Re: Forwarder not sending data to indexer

gcusello — Thu, 31 Aug 2017 09:03:45 GMT

Hi AB,
some questions, to better understand the situation:

when the file is recreated, it's different, the same or both the possibilities?

Surely Splunk don't index it when it's the same, but only when updated.

When you update file, do you modify first chars?

Bye.
Giuseppe

Re: Forwarder not sending data to indexer

722624 — Thu, 31 Aug 2017 09:22:52 GMT

Hello Giuseppe....
the file is created every 15 mins with same file name,,,,but with different content ,
I have total 15 hosts, same configuration , same OS, same UF...13 hosts are sending but 2 hosts are not sending...

Re: Forwarder not sending data to indexer

gcusello — Thu, 31 Aug 2017 09:27:54 GMT

ok for different content, but the first 256 chars hare different or the same?

When you say that the only two servers aren't sending logs, do you mean that the problem is only on two UF and correctly runs on the other 13?
If yes, delete the first question.

Bye.
Giuseppe

Re: Forwarder not sending data to indexer

722624 — Thu, 31 Aug 2017 09:44:17 GMT

Hello Giuseppe,
Thanks for quick response
Yes..first 250 chars are also different
We have same version of UF installed on each of our 15 hosts...13 hosts are sending data to indexer..but 2 hosts are not sending the data

Re: Forwarder not sending data to indexer

gcusello — Thu, 31 Aug 2017 09:54:27 GMT

Yes, the problem that you don't index updates there is only on two Forwarders or in all Forwarders?
if the first, you have to check if the two Forwarders send other logs to Indexer ( index=_internal host=your_host1 OR host=your_host2 ).
If the second, it's a different problem.
Bye.
Giuseppe

Re: Forwarder not sending data to indexer

722624 — Tue, 29 Sep 2020 15:34:18 GMT

only two forwrarders are not sending... index=_internal host=your_host1 ...is not giving any data

Re: Forwarder not sending data to indexer

gcusello — Tue, 29 Sep 2020 15:34:20 GMT

This means that the problem isn't in the ingestion of the variation of the file, te problem in in connection!

at first check if firewalls rules are open, using telnet IP_Indexer 9997

if ok, check hostname in $SPLUNK_HOME/etc/system/local/inputs.conf and $SPLUNK_HOME/etc/system/local/server.conf (beware if you have the same hostname of another forwarder sometimes it happens!)

if ok, check if outputs.conf is correctly configurated (usually is in $SPLUNK_HOME/etc/system/local/ or in a dedicated App): you must have something like this:

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = IP_Indexer:9997
disabled=false
[tcpout-server://IP_Indexer:9997]

otherwise see at http://docs.splunk.com/Documentation/Forwarder/6.6.3/Forwarder/Troubleshoottheuniversalforwarder

Bye.
Giuseppe

Re: Forwarder not sending data to indexer

muszyngr — Mon, 09 Mar 2020 23:20:45 GMT

ok, so what did it what fixed it? this is so frustrating finding unanswered threads, not your fault, just the Splunk Documentation is so lacking and here I am three years later with a very similar issue

Re: Forwarder not sending data to indexer

woodcock — Tue, 10 Mar 2020 04:40:40 GMT

You need to modify CHECK_METHOD in props.conf to modtime (checks only modification time of file):
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in-answer&utm_term=props.conf&utm_campaign=refdoc#File_checksum_configuration