https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475848#M81660 <P>It was working fine until 1 month ago.<BR /> There was no Splunk forwarder and network configuration change.<BR /> No packets from the forwarder to the indexer.<BR /> How can I solve the problem?</P> Tue, 07 Jan 2020 07:36:23 GMT lifekis 2020-01-07T07:36:23Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475848#M81660 <P>It was working fine until 1 month ago.<BR /> There was no Splunk forwarder and network configuration change.<BR /> No packets from the forwarder to the indexer.<BR /> How can I solve the problem?</P> Tue, 07 Jan 2020 07:36:23 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475848#M81660 lifekis 2020-01-07T07:36:23Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475849#M81661 <P>Hi @lifekis,<BR /> what's tha last date you received logs?<BR /> if you have logs until 31/12/2019 and not more after, probably the problem is the timestamp parsing: if you have a date in format dd/mm/yyyy, Splunk usually read as format mm/dd/yyyy, so it correctly read them after the 13th of each month, but take the wrong format until the 12th of each month.<BR /> You can check this problem verifying if you have logs of 7th of January on the 1st of july.</P> <P>To solve the problem, you have to set the correct TIME_FORMAT in props.conf.</P> <P>Ciao.<BR /> Giuseppe</P> Tue, 07 Jan 2020 11:54:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475849#M81661 gcusello 2020-01-07T11:54:55Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475850#M81662 <P>I haven't received it since December 13, 2019 (GMT + 9). There is a log in the forwarder but I don't know why not forwarding it.</P> Wed, 08 Jan 2020 00:02:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475850#M81662 lifekis 2020-01-08T00:02:40Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475851#M81663 <P>Here are the steps I would take to troubleshoot - <BR /> (1) Login to the server to make sure splunk process is running<BR /> (2) Check that your outputs.conf is still on the system<BR /> (3) Try to do a network connectivity test to your HF/Indexer<BR /> (4) Check splunkd.log to see if there are any errors</P> Wed, 08 Jan 2020 00:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475851#M81663 gnangia 2020-01-08T00:19:26Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475852#M81664 <P>Hi @lifekis,<BR /> ok, let start dubugging:<BR /> at first check if you have internal logs from that server (<CODE>index=_internal host=your_host</CODE>).<BR /> If you haven't them, the problem is on the connection, so test the route (from the UF <CODE>telnet ip_splunk_indexer 9997</CODE>).<BR /> if Nok verify firewall route between servers, if Ok check in outputs.conf on UF if the address of the Indexers is correct.</P> <P>If instead you have Splunk internal logs but not the logs you want, check in inputs.conf if the path and the filename of the monitor stanza is still correct.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 08 Jan 2020 07:54:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475852#M81664 gcusello 2020-01-08T07:54:24Z https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475853#M81665 <P>Thank you for answer! I checked the disconnection log in splunkd.log.</P> Fri, 10 Jan 2020 07:45:36 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-a-Splunk-forwarder-stop-sending-to-log-packet/m-p/475853#M81665 lifekis 2020-01-10T07:45:36Z