https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345780#M63529 <P>Hey everyone, I have installed UF agents in 180 servers and i have seen the data coming to splunk yesterday. But now i have noticed three of them are not sending data, I mean i am seeing 177 hosts in splunk. So how can we find out what are those three UF's which is not sending data. I have configured all these using Deployment server. Same index and same sourcetype. And is there a way that we can get alerts when the forwarder stops sending data or gets any issue? I am using splunk 6.3. Thank you</P> Thu, 14 Dec 2017 18:41:14 GMT Vetrikmr 2017-12-14T18:41:14Z https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345780#M63529 <P>Hey everyone, I have installed UF agents in 180 servers and i have seen the data coming to splunk yesterday. But now i have noticed three of them are not sending data, I mean i am seeing 177 hosts in splunk. So how can we find out what are those three UF's which is not sending data. I have configured all these using Deployment server. Same index and same sourcetype. And is there a way that we can get alerts when the forwarder stops sending data or gets any issue? I am using splunk 6.3. Thank you</P> Thu, 14 Dec 2017 18:41:14 GMT https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345780#M63529 Vetrikmr 2017-12-14T18:41:14Z https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345781#M63530 <P>See this<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata">http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata</A></P> Thu, 14 Dec 2017 21:29:25 GMT https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345781#M63530 somesoni2 2017-12-14T21:29:25Z https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345782#M63531 <P>hello there,</P> <P>when you say "not sending data" do you mean to the regular indexes or to _internal index?<BR /> try this to find out how many distinct forwarders are out there and who sends to _internal but does not send "data": </P> <PRE><CODE>| tstats dc(host) as unique values(host) as hosts where index=_* | mvexpand hosts | appendcols [ | tstats values(host) as data_hosts where index=*] | eval match = if(hosts=data_hosts,1,0) | where match=0 </CODE></PRE> <P>if you have only 177 distinct forwarders, then you will probably will have to manuallt figure out where are the other 3.<BR /> if you have 180 sends to _internal then it means that those unique 3 either have wrong inputs on them or there is no data generated.</P> <P>hope it helps</P> Thu, 14 Dec 2017 21:37:10 GMT https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345782#M63531 adonio 2017-12-14T21:37:10Z https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345783#M63532 <P>I am not sure what this search is doing. I went line by line and was following up until I got to line 3. Line three adds a field with all the host, but just for the first entry, as least it does when I run them. From here, only the all 500+ host would still be listed at step five, except for the first one.</P> <P>Is there something I am missing?</P> <P>what I did get to work, or it seems like it works, is this: </P> <P><CODE>| tstats dc(host) as unique values(host) as hosts where index=_* <BR /> | appendcols [ | tstats values(host) as data_hosts where index=*] <BR /> | mvexpand hosts <BR /> | eval match = if(hosts=data_hosts,1,0) <BR /> | where match=0</CODE></P> Fri, 16 Feb 2018 16:11:06 GMT https://community.splunk.com/t5/Getting-Data-In/Few-forwarders-not-sending-data/m-p/345783#M63532 cboillot 2018-02-16T16:11:06Z