https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455271#M95267 <P>Hi Guys, </P> <P>I have configured using index discovery for my forwarder which are forwarding my firewall logs.<BR /> I saw from my splunkd.log it seems like the connection to my indexer is successful however, i can't see any logs from my indexer dashboard. </P> <P>x.x.x.x is my 1st index server<BR /> y.y.y.y is my 2nd index server</P> <H5>logs</H5> <P>05-15-2019 03:59:05.238 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 03:59:10.784 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...<BR /> 05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997<BR /> 05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 03:59:40.785 +0800 INFO TailReader - ...continuing.<BR /> 05-15-2019 03:59:45.785 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...<BR /> 05-15-2019 04:00:08.725 +0800 INFO TailReader - ...continuing.<BR /> 05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - Handling file=/var/log/fortigate/fortigate.log-20190515.gz<BR /> 05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - new tailer already processed path=/var/log/fortigate/fortigate.log-20190515.gz<BR /> 05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997<BR /> 05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997<BR /> 05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y::9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997<BR /> 05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.</P> <P>The indexes over at the index servers are not updated with any latest event as well. <BR /> Any idea how i can troubleshoot on this issue ?</P> <P>Thanks</P> Tue, 14 May 2019 20:08:01 GMT christay 2019-05-14T20:08:01Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455271#M95267 <P>Hi Guys, </P> <P>I have configured using index discovery for my forwarder which are forwarding my firewall logs.<BR /> I saw from my splunkd.log it seems like the connection to my indexer is successful however, i can't see any logs from my indexer dashboard. </P> <P>x.x.x.x is my 1st index server<BR /> y.y.y.y is my 2nd index server</P> <H5>logs</H5> <P>05-15-2019 03:59:05.238 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 03:59:10.784 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...<BR /> 05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997<BR /> 05-15-2019 03:59:35.133 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 03:59:40.785 +0800 INFO TailReader - ...continuing.<BR /> 05-15-2019 03:59:45.785 +0800 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...<BR /> 05-15-2019 04:00:08.725 +0800 INFO TailReader - ...continuing.<BR /> 05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - Handling file=/var/log/fortigate/fortigate.log-20190515.gz<BR /> 05-15-2019 04:01:00.462 +0800 INFO ArchiveProcessor - new tailer already processed path=/var/log/fortigate/fortigate.log-20190515.gz<BR /> 05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997<BR /> 05-15-2019 04:01:04.850 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Closing stream for idx=x.x.x.x:9997<BR /> 05-15-2019 04:03:04.453 +0800 INFO TcpOutputProc - Connected to idx=y.y.y.y::9997, pset=0, reuse=0. using ACK.<BR /> 05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Closing stream for idx=y.y.y.y:9997<BR /> 05-15-2019 04:04:04.270 +0800 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0. using ACK.</P> <P>The indexes over at the index servers are not updated with any latest event as well. <BR /> Any idea how i can troubleshoot on this issue ?</P> <P>Thanks</P> Tue, 14 May 2019 20:08:01 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455271#M95267 christay 2019-05-14T20:08:01Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455272#M95268 <P>Is your forwarder running as the splunk user? Files and directories under /var/log/ are typically owned by root. <BR /> Try changing the user on your forwarder, or change the ownerships of your directory under /var/log/</P> Tue, 14 May 2019 22:09:47 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455272#M95268 codebuilder 2019-05-14T22:09:47Z https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455273#M95269 <P>I have changed the ownership of /var/log to splunk user, but the result is still the same.<BR /> The splunkd.log doesn't share much insight to the issue as well....</P> Wed, 15 May 2019 00:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/SPLUNK-INDEX-Discovery/m-p/455273#M95269 christay 2019-05-15T00:54:21Z