topic Re: Issue in getting data from universal forwarder in Getting Data In

Issue in getting data from universal forwarder

chchanda — Wed, 16 Jun 2021 13:46:25 GMT

Hi There,

I have placed inputs.conf and outputs.conf on Splunk UF installed on application server to fetch the logs from a specific path but Splunk is not reading the same. I have tried to change the location of inputs.conf from Splunk_home/etc/apps/TA/local to /Splunk_home/etc/system/local but still no luck.

Don't know what is the issue for fetching data to Splunk, however, I am able to see the internal logs in Search Head.

Can anyone please help here?

Thanks in advance!!

Re: Issue in getting data from universal forwarder

venkatasri — Thu, 17 Jun 2021 00:28:05 GMT

Hi @chchanda

It could be a permissions issue good place to check is splunkd.log or _internal index for errors, You can check the current monitor status by issuing command under $SPLUNK_HOME/bin use the "./splunk list inputstatus" to get more detailed info on where Splunk is in reading the different files.

Can you share the inputs.conf to see how did you configured?

---

An upvote would be appreciated if it helps!

Re: Issue in getting data from universal forwarder

isoutamo — Thu, 17 Jun 2021 06:57:41 GMT

As @venkatasri said, it's probably access right issues.

Which platform those UF's are?
Are you using DS for deploy those configs (probably not as you try to put those under system/local)
- My guidelines is that never ever put anything under system/local if it works somewhere else
Have you restart UF after adding those configurations or have you added those with CLI commands?
Which user is running splunk
Have you check UF's splunkd.log to see if there are any errors related to this
Are UF's internal log seen on splunk SH?

r. Ismo

Re: Issue in getting data from universal forwarder

chchanda — Thu, 17 Jun 2021 09:07:31 GMT

Hi @isoutamo

Which platform those UF's are? -- Windows platform
Are you using DS for deploy those configs (probably not as you try to put those under system/local) -- No DS
- My guidelines is that never ever put anything under system/local if it works somewhere else -- This is just for testing purpose, but reverted the change from etc/system/local to etc/apps/TA/local
Have you restart UF after adding those configurations or have you added those with CLI commands? ----Since it is Windows, have placed the TA manually by copy paste. Restarted Splunk services from Services
Which user is running splunk -- We have a user called splunk
Have you check UF's splunkd.log to see if there are any errors related to this -- Till now no such errors, but can see INFO ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd.
Are UF's internal log seen on splunk SH? -- Yes I can see the splunk internal logs on SH but not the logs on the specified index

Re: Issue in getting data from universal forwarder

isoutamo — Thu, 17 Jun 2021 12:04:20 GMT

as it's windows platform you must use windows notation for those paths not unix version.

e.g. C:\temp\foo.bar

If you want collect data from network shares you must have user which have access to those shares, usually it means domain user.

And check that your splunk user has access to those directories/files which you try to ingest.

As you get those internal logs to splunk then we are knowing that connection is ok and the issue is definitely on UF side.

r. Ismo