https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703781#M10535 <P>That might indicate issues with the receiving indexer. Check its logs and health.</P> Thu, 07 Nov 2024 09:12:36 GMT PickleRick 2024-11-07T09:12:36Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703703#M10531 <P>After&nbsp;&nbsp;Splunk forwarder version got upgrade&nbsp;from 9.0.5.0 to 9.3.1.0 windows server are having issue in forwarding the data to Splunk.<BR /><BR />Splunkd is stopping often in different server after restarting splund it start forwarding the data but issue comes again after 2,3 days&nbsp;<BR /><BR />what actions to be taken to make the logs flow easily to Splunk<BR /><BR />&nbsp;</P> Wed, 06 Nov 2024 16:54:38 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703703#M10531 Praz_123 2024-11-06T16:54:38Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703760#M10532 <P>The biggest change on the Universal forwarder from 9.0. &gt; 9.3 was&nbsp;<SPAN class="">least-privileged user.</SPAN></P><P><A href="https://docs.splunk.com/Documentation/Forwarder/9.3.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller#Manage_SePrivilegeUser_permissions" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Forwarder/9.3.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller#Manage_SePrivilegeUser_permissions</A></P><P>&nbsp;</P><P>Do you see any issues on the permissions? I recommend working with support if this is happening frequently on all your windows hosts.<BR /><BR /><BR /><BR /><BR /></P><P>If this reply helps, Please UpVote.</P> Thu, 07 Nov 2024 04:56:17 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703760#M10532 sainag_splunk 2024-11-07T04:56:17Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703774#M10533 <P>Firstly, check what happens - when the UF "stops", check what's at the end of splunkd.log to see whether anything out of the ordinary happened and see the windows system/application logs for entries regarding splunkd.exe to see if you see any indication of process crashing.</P><P>It might be a configuration issue but it indeed might be a software bug so you might end up calling support for help.</P> Thu, 07 Nov 2024 08:27:06 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703774#M10533 PickleRick 2024-11-07T08:27:06Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703780#M10534 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;<BR /><BR />error is something like&nbsp;<SPAN><SPAN class="">Read error. An existing connection was forcibly closed by the remote host.</SPAN></SPAN></P> Thu, 07 Nov 2024 09:09:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703780#M10534 Praz_123 2024-11-07T09:09:35Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703781#M10535 <P>That might indicate issues with the receiving indexer. Check its logs and health.</P> Thu, 07 Nov 2024 09:12:36 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703781#M10535 PickleRick 2024-11-07T09:12:36Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703785#M10537 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;<BR /><BR />&nbsp;like while am searching in Splunk indexer am not able to see host, index and source for the windows server at that specific time.</P> Thu, 07 Nov 2024 09:54:18 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703785#M10537 Praz_123 2024-11-07T09:54:18Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703790#M10539 <P>No. I don't mean searching for the logs from the forwarder. This you won't find, it's obvious.</P><P>You need to look into _internal log for events from your receiving indexer(s) or HF(s) depending on what your infrastructure looks like concerning that disconnecting forwarder.</P> Thu, 07 Nov 2024 10:36:30 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703790#M10539 PickleRick 2024-11-07T10:36:30Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703904#M10544 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;<BR /><BR />so basically there is window server they had U.F which is forwarding data to Splunk.<BR /><BR />While I checked the _internal logs not able to find anything on search head . What should I do next&nbsp;</P> Fri, 08 Nov 2024 09:30:06 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703904#M10544 Praz_123 2024-11-08T09:30:06Z https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703939#M10545 <P>There is no obvious answer. It might indeed require calling support.</P> Fri, 08 Nov 2024 15:47:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/Not-getting-splunk-logs/m-p/703939#M10545 PickleRick 2024-11-08T15:47:49Z