https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628169#M12299 <P>You seem to have multiple separate problems here. So isolate them and try to troubleshoot one by one.</P><P>First question is what architecture do you have. Second - what _is_ working. Third - what change did you introduce lately. What was the expected behaviour after this change and what is the actual observed behaviour.</P><P>Don't try to do multiple things at once and then try to pinpoint why something is not working as expected because this way you can't track cause-effect relationships.</P> Tue, 24 Jan 2023 16:25:12 GMT PickleRick 2023-01-24T16:25:12Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628141#M12297 <P>Hello Community,</P><P>I would like to inquire about some issues I am facing while setting up a heavy forwarder in splunk. Please take a look at the below issues :-&nbsp;</P><P>1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.</P><P>2) Linux server are not able to forward logs to the indexer.</P><P>3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.</P><P>4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.</P><P>&nbsp;</P><P>Thanks in advance.</P> Tue, 24 Jan 2023 13:38:17 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628141#M12297 Darsh1561 2023-01-24T13:38:17Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628167#M12298 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253185">@Darsh1561</a>m,</P><P>please detail your questions:</P><P><STRONG>1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.</STRONG></P><P>you mean that you see some hosts in the Deployment Server but that you don't see their logs or what else?</P><P><STRONG>2) Linux server are not able to forward logs to the indexer.</STRONG></P><P>are you meaning that all your Linux servers don't sed logs?</P><P>I suppose that you already configured:</P><UL><LI>your indexers and your Heavy Forwarders to receive logs,</LI><LI>your Forwarders to send logs to the Indexers or to Heavy Forwarders,&nbsp;</LI></UL><P>how did you do this?</P><P>did you checked that the firewall routes between Forwarders and Indexers and Heavy Forwarders are open?</P><P>What's you architecture?</P><P><STRONG>3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.</STRONG></P><P>Which local configuration did you do?</P><P>are you using a Deployment server?</P><P>have you followed the instructions at&nbsp;<A href="https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html" target="_blank">https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html</A>&nbsp;or&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents</A>&nbsp;or&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata</A>&nbsp;?</P><P><STRONG>4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.</STRONG></P><P>did you checked the timestamp of these events, is it correct?</P><P>Ciao.</P><P>Giuseppe</P> Tue, 24 Jan 2023 16:21:14 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628167#M12298 gcusello 2023-01-24T16:21:14Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628169#M12299 <P>You seem to have multiple separate problems here. So isolate them and try to troubleshoot one by one.</P><P>First question is what architecture do you have. Second - what _is_ working. Third - what change did you introduce lately. What was the expected behaviour after this change and what is the actual observed behaviour.</P><P>Don't try to do multiple things at once and then try to pinpoint why something is not working as expected because this way you can't track cause-effect relationships.</P> Tue, 24 Jan 2023 16:25:12 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628169#M12299 PickleRick 2023-01-24T16:25:12Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628709#M12303 <P>Thanks for your input.</P> Sat, 28 Jan 2023 15:44:00 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/628709#M12303 Darsh1561 2023-01-28T15:44:00Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/629826#M12365 <P>Thank you!&nbsp; that make sense</P> Tue, 07 Feb 2023 05:22:47 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/629826#M12365 aad 2023-02-07T05:22:47Z https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/629839#M12366 <P>Hi at all,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 07 Feb 2023 07:30:15 GMT https://community.splunk.com/t5/Installation/Splunk-Heavy-Forwarder-Problem/m-p/629839#M12366 gcusello 2023-02-07T07:30:15Z