topic Re: unable to send data to indexer. in Getting Data In

unable to send data to indexer.

sherrysafdar — Sat, 07 Sep 2019 18:48:08 GMT

Hello, this is my forwarder inputs.conf looks like but I am unable to see any data in the second index cisco_asa.

index fortinet works just fine.

[default]
host = ABC

[monitor://D:\Syslog\Fortinet]
index = fortinet
sourcetype = fortigate

[monitor://D:\Syslog\ASA]
index = cisco_asa
sourcetype = cisco:asa

Please advise!

richgalloway — Sat, 07 Sep 2019 21:28:33 GMT

Can you see any data in index=fortinet?
Is there data in D:\Syslog\ASA?
Are there any relevant messages in the forwarder's splunkd.log?

sherrysafdar — Sat, 07 Sep 2019 23:28:54 GMT

Yes, I can see data in index=fortinet

However, I cannot see any data in index=cisco_asa

Yes, there is data is D:\Syslog\ASA

ashutoshab — Wed, 30 Sep 2020 02:05:28 GMT

Based on your inputs, I am putting few ways where it might have gone wrong.

There is no data in D:\Syslog\ASA. But as you said, there is data.
Check the user splunk running with, does he have permission to access D:\Syslog\ASA
On indexer, there is no index created with the name cisco_asa. In such case, the indexer will throw warnings that there is data coming for this index which in not present.
The most common mistake, the data is perfectly indexed in index=cisco_asa but, the User Role you are logged in with does not have 'cisco_asa' index added to searchable list. Using Admin user, Please visit Settings >>> access control >>> [your user role] >>> check the list of indexes allowed to be searched for your role.

Above are some causes that make some indexed data not searchable. Please do a check and revert.