https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496882#M1977 <P>you cannot search anything on the SH <EM>(assuming no data on index=apache)</EM> but you see traffic logs (assuming the forwarder is already connected to the indexers)</P> <P>have you tried checking on splunkd.log if there are any errors? are the sources being monitored? <EM>(run <CODE>./splunk list monitor</CODE> on the UF)</EM></P> Thu, 30 Apr 2020 09:47:15 GMT lloydknight 2020-04-30T09:47:15Z https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496878#M1973 <P>I have installed a forwarder on my apache serer and I see traffic (logs) moving from the web server to the indexers.<BR />When I run the command below on my search heads (plus ITSI), I get nothing.</P> <P><STRONG>| eventcount summarize=false index=* index=_* | dedup index | fields index</STRONG></P> <P>my input.conf:<BR />[monitor:///web/JBossWeb/jws-3.0/https/logs/access.log.$(date +%Y.%m.%d)]<BR />sourcetype=apache_access<BR />disabled = 0<BR />index = apache</P> <P>[monitor:///web/JBossWeb/jws-3.0/https/logs/error.log.$(date +%Y.%m.%d)]<BR />sourcetype=apache_error<BR />disabled = 0<BR />index = apache</P> <P>Please help.<BR />Thank you.</P> Sun, 07 Jun 2020 00:26:57 GMT https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496878#M1973 millinkan 2020-06-07T00:26:57Z https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496879#M1974 <P>What are you trying to do? Get an eventcount? Because that's what the search does. There's a small mistake in your search, should be <CODE>| eventcount summarize=false index=* index=_* | dedup index | fields index</CODE></P> <P>Also, you can write <CODE>| eventcount summarize=false index=* index=_* | stats values(index)</CODE> instead.</P> <P>Skalli</P> Wed, 18 Mar 2020 09:59:55 GMT https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496879#M1974 skalliger 2020-03-18T09:59:55Z https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496880#M1975 <P>Thanks for the alternate search query. </P> Wed, 18 Mar 2020 10:13:09 GMT https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496880#M1975 millinkan 2020-03-18T10:13:09Z https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496881#M1976 <P>I used the below in my inputs.conf and it worked.</P> <P>[monitor:///web/JBossWeb/jws-3.0/httpd/logs/error.log.*]<BR /> sourcetype=apache_error<BR /> disabled = 0<BR /> index = linux<BR /> crcSalt=<BR /> ignoreOlderThan = 0d</P> <P>Thanks for you assistance</P> Thu, 30 Apr 2020 08:08:04 GMT https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496881#M1976 millinkan 2020-04-30T08:08:04Z https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496882#M1977 <P>you cannot search anything on the SH <EM>(assuming no data on index=apache)</EM> but you see traffic logs (assuming the forwarder is already connected to the indexers)</P> <P>have you tried checking on splunkd.log if there are any errors? are the sources being monitored? <EM>(run <CODE>./splunk list monitor</CODE> on the UF)</EM></P> Thu, 30 Apr 2020 09:47:15 GMT https://community.splunk.com/t5/Splunk-ITSI/I-see-traffic-from-forwarder-to-indexers-but-I-cant-find/m-p/496882#M1977 lloydknight 2020-04-30T09:47:15Z