topic Re: Why am I unable to forward data from Universal forwarder? in Getting Data In

Why am I unable to forward data from Universal forwarder?

Rebeccakettler — Fri, 18 May 2018 17:33:49 GMT

I am trying to index new data and it is not happening.

I am indexing a single log file that is being written to by the server when ever new events are added.

I put this statement into the MSIADDED inputs on the universal forwarder because that is where my current input live.

This is what I added.

[Monitor://D:\Software\Waratek\HR-Config\HR.log]
disabled = 0
sourcetype = waratek
index = main

This is sample of the file.

2018-05-02 11:02:09,851  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Load Rule|Low|outcome=success
2018-05-02 11:02:13,252  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Link Rule|Low|outcome=success
2018-05-02 11:02:13,263  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Load Rule|Low|outcome=success
2018-05-02 11:02:14,135  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Link Rule|Low|outcome=success

I can see the sourcetype show up in data summary; however, when I search for the data there is nothing there. Any suggestions here?

Re: Why am I unable to forward data from Universal forwarder?

somesoni2 — Fri, 18 May 2018 18:11:33 GMT

In data summary, does the sourcetype shows any count? The events seems to be from May 2nd, does your time range large enough to include this? Does your user role has access to read data from index main?

Re: Why am I unable to forward data from Universal forwarder?

Rebeccakettler — Fri, 18 May 2018 18:35:33 GMT

It will show 64 lines. I did not count them specifically but it looks right.
I have been putting my searches to All Time searches.
I am an admin but I also just verified my role. I have default admin and rights to all non internal and internal indexes.
I have done multiple attempts at the input.conf file (tried it on a different server too). They all show similar issues. I just deleted my fishbucket on the forwarder again and restarted the service. But this has not made a difference in the past. I don't have anything to normalize the data yet but I can't see it soooooo

Re: Why am I unable to forward data from Universal forwarder?

xpac — Sat, 19 May 2018 22:21:01 GMT

You could try this:

| tstats prestats=t count where sourcetype=waratek AND index=* by _time index
| timechart count by index

Set the search range to include events from 10 years ago until 10 years in the future, just in case some strange timestamp recognition happens.

Re: Why am I unable to forward data from Universal forwarder?

Rebeccakettler — Mon, 21 May 2018 12:27:08 GMT

I can see the event count similiar to data summary. When I try to drill down there is nothing there.

Re: Why am I unable to forward data from Universal forwarder?

xpac — Mon, 21 May 2018 12:47:01 GMT

The timechart visualization should also show you the time range in which those events are, that might give you a hint what went wrong (e.g. wrong timestamp recognition = events in the future).

Re: Why am I unable to forward data from Universal forwarder?

Rebeccakettler — Tue, 22 May 2018 11:06:30 GMT

A time chart would not visualize. All I can get is a count. Anything else just drops it. Though I did open a support ticket.

Re: Why am I unable to forward data from Universal forwarder?

Rebeccakettler — Fri, 01 Jun 2018 12:16:56 GMT

I had a typo in the input.conf. The M of MOnitor was capped once that was resolved the data flowed.

Re: Why am I unable to forward data from Universal forwarder?

richgalloway — Fri, 01 Jun 2018 13:04:30 GMT

@Rebeccakettler If your problem is resolved, please accept the answer to help future readers.