<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Forwarder Phoning Home but No Logs Found in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372545#M67587</link>
    <description>&lt;P&gt;You better start with &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Troubleshooting/Cantfinddata"&gt;I can't find my data!&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 17 Aug 2017 14:37:54 GMT</pubDate>
    <dc:creator>ddrillic</dc:creator>
    <dc:date>2017-08-17T14:37:54Z</dc:date>
    <item>
      <title>Forwarder Phoning Home but No Logs Found</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372544#M67586</link>
      <description>&lt;P&gt;I have all fifty-two forwarders phoning home to the server. However, I can't see any logs from the hosts besides the server itself. So, the computer where the Enterprise is installed has no issues with its logs being captured, but every other host has the issue. I don't believe it's a Firewall complication since I've turned it off.&lt;/P&gt;

&lt;P&gt;What I am looking for is some areas to trouble shoot this problem -- any pointers on where to look. I have three apps (&lt;STRONG&gt;_server_app_windowshost&lt;/STRONG&gt;,   &lt;STRONG&gt;splunk_TA_windows&lt;/STRONG&gt;, and &lt;STRONG&gt;uf_outputs&lt;/STRONG&gt;) which say they have all been deployed to 100% of the hosts.&lt;/P&gt;

&lt;P&gt;I did copy over my &lt;STRONG&gt;uf_outputs&lt;/STRONG&gt; and &lt;STRONG&gt;_server_app_windowshost&lt;/STRONG&gt; files from my other ntowrk, edditted the IP address where needed, then placed them on the new server under &lt;STRONG&gt;deployment apps&lt;/STRONG&gt;.&lt;/P&gt;

&lt;P&gt;Any advice on what to look for would be helpful. Thanks.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 15:23:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372544#M67586</guid>
      <dc:creator>drizzo</dc:creator>
      <dc:date>2020-09-29T15:23:19Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarder Phoning Home but No Logs Found</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372545#M67587</link>
      <description>&lt;P&gt;You better start with &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Troubleshooting/Cantfinddata"&gt;I can't find my data!&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 17 Aug 2017 14:37:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372545#M67587</guid>
      <dc:creator>ddrillic</dc:creator>
      <dc:date>2017-08-17T14:37:54Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarder Phoning Home but No Logs Found</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372546#M67588</link>
      <description>&lt;P&gt;I'd start by making sure the forwarders are connecting to the indexers, not just the deployment server.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=_internal source=*metrics.log* tcpin_connections | stats count by sourceIp
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You should see connections from the forwarders and if they are connected you should also be able to search _internal for each host since they should be forwarding internal data. If they aren't connected I would check your outputs deployed to the forwarders. &lt;/P&gt;

&lt;P&gt;If they are connecting, just not sending the Windows data you are expecting I would check the monitor on the forwarder. On a forwarder you can run "./splunk list monitor" to see which files it is trying to monitor and forward. If what you are looking for isn't listed I'd check the deployment server for the app that defines the inputs and make sure the app is set to trigger a restart when updated. It could be possible the app was deployed but Splunk was not restarted and the forwarder has not yet loaded in the inputs.&lt;/P&gt;</description>
      <pubDate>Fri, 18 Aug 2017 14:16:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-Phoning-Home-but-No-Logs-Found/m-p/372546#M67588</guid>
      <dc:creator>mdsnmss</dc:creator>
      <dc:date>2017-08-18T14:16:22Z</dc:date>
    </item>
  </channel>
</rss>

