https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602072#M209560 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65114">@madhav_dholakia</a>&nbsp;- Your configuration looks correct to me.</P><P>&nbsp;</P><P>I think you should observe how your system is overriding the data in the CSV files every time, how and when they are writing in the file, what is the size of the files, and how long it's taking to write a file.</P><P>Please monitor the above parameters on the host for files which are having this more than other files and compare. I think that should lead you to the root cause that is causing this intermittent issue.</P><P>&nbsp;</P><P>I hope this helps!!!</P> Thu, 16 Jun 2022 13:08:54 GMT VatsalJagani 2022-06-16T13:08:54Z https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602054#M209549 <P><FONT size="3">Hi All,</FONT></P><P><FONT size="3">We have a universal forwarder running on Windows Server which is sending data to our Splunk Instance in Cloud.</FONT></P><P><FONT size="3">Below are some details of .conf files and logs:</FONT></P><P><FONT size="2"><STRONG>inputs.conf</STRONG></FONT></P><P><FONT size="2">[default]</FONT><BR /><FONT size="2">host = DB_DATA</FONT></P><P><FONT size="2">[monitor://D:\ABC\DB_Monitoring\Cust]</FONT><BR /><FONT size="2">disabled=0</FONT><BR /><FONT size="2">index=rjsql</FONT><BR /><FONT size="2">sourcetype = csv</FONT><BR /><FONT size="2">crcSalt = &lt;SOURCE&gt;</FONT><BR /><FONT size="2">time_before_close = 60</FONT></P><P><FONT size="2"><STRONG>props.conf</STRONG></FONT></P><P><FONT size="2">[default]</FONT><BR /><FONT size="2">NO_BINARY_CHECK=true</FONT><BR /><FONT size="2">CHARSET=AUTO</FONT></P><P><FONT size="2">[source::D:\ABC\DB_Monitoring\Cust\*.csv]<BR />CHECK_METHOD = modtime</FONT></P><P><FONT size="2">There are some files which are either 1) no being indexed at all 2) only headers are indexed - this doesn't happen with all the files, only some of them.</FONT></P><P><STRONG><FONT size="2">Logs from _internal (for file which has got only header indexed)</FONT></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="madhav_dholakia_1-1655378730697.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20125iAD43B523110C833B/image-size/medium?v=v2&amp;px=400" role="button" title="madhav_dholakia_1-1655378730697.png" alt="madhav_dholakia_1-1655378730697.png" /></span></P><P><FONT size="2"><STRONG>Tailing processer file status</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="madhav_dholakia_2-1655378896371.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20126iD1DFDCC55DECC55E/image-size/medium?v=v2&amp;px=400" role="button" title="madhav_dholakia_2-1655378896371.png" alt="madhav_dholakia_2-1655378896371.png" /></span></P><P><FONT size="2"><STRONG>btool output:</STRONG></FONT></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="madhav_dholakia_3-1655379120242.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20127iA230FB832D99DE7D/image-size/medium?v=v2&amp;px=400" role="button" title="madhav_dholakia_3-1655379120242.png" alt="madhav_dholakia_3-1655379120242.png" /></span></P><P>Can you please suggest what else I could check here and resolve this intermittent issue?</P><P>Thank you.</P> Thu, 16 Jun 2022 11:35:14 GMT https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602054#M209549 madhav_dholakia 2022-06-16T11:35:14Z https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602072#M209560 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65114">@madhav_dholakia</a>&nbsp;- Your configuration looks correct to me.</P><P>&nbsp;</P><P>I think you should observe how your system is overriding the data in the CSV files every time, how and when they are writing in the file, what is the size of the files, and how long it's taking to write a file.</P><P>Please monitor the above parameters on the host for files which are having this more than other files and compare. I think that should lead you to the root cause that is causing this intermittent issue.</P><P>&nbsp;</P><P>I hope this helps!!!</P> Thu, 16 Jun 2022 13:08:54 GMT https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602072#M209560 VatsalJagani 2022-06-16T13:08:54Z https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602078#M209562 <P>thanks,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/93915">@VatsalJagani</a>&nbsp;- these files are &lt;10KBs and updated every 15 days/month. With a time_before_close param set, I don't think file writing will take more time looking at the file size.</P> Thu, 16 Jun 2022 13:19:01 GMT https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602078#M209562 madhav_dholakia 2022-06-16T13:19:01Z https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602085#M209567 <P>Yeah, file size, I don't think should be a problem here then.</P> Thu, 16 Jun 2022 13:51:26 GMT https://community.splunk.com/t5/Splunk-Search/Universal-Forwarder-Not-Forwarding-Data-Intermittent-Issue/m-p/602085#M209567 VatsalJagani 2022-06-16T13:51:26Z