topic Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host? in Splunk Search

I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Tue, 14 Jun 2016 08:15:08 GMT

Hi,

I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:

[default]
host = name1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor://C:\Program Files (x86)\FileZilla Server\Logs\]
host = name1
index=FTP_logs_2
source="C:\Program Files (x86)\FileZilla Server\Logs\"
disabled = 0
whitelist=.log$
#ignoreOlderThan = 7d
#blacklist=C:\logs\onelog.log

The goal is to monitor FileZilla logs.
Index has been created on indexer.

When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.

Can anyone help me ?
Thanks,

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

ryanoconnor — Tue, 14 Jun 2016 13:01:16 GMT

Are you the only user on your system? Is your role able to search that index?

You should also make sure to define the sourcetype that you're interested in in your inputs.conf stanza.

Lastly is there a reason for using the whitelist setting? Are there some logs in that directory you're not interested in?

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

craigv_splunk — Tue, 14 Jun 2016 13:50:03 GMT

On the forwarder try running the command from the splunk folder bin/splunk list forward-server
Does it say that the connection between the forwarder and the Splunk server is active?

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

ddrillic — Tue, 14 Jun 2016 13:55:17 GMT

What do you see when you search for host=name1?

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Thu, 07 Jul 2016 09:16:38 GMT

This forwarder is a Windows. How to check this on this OS please ? Thanks

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Thu, 07 Jul 2016 09:17:24 GMT

I see "No results found" 😞

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Thu, 07 Jul 2016 09:19:18 GMT

I'm the only user and I'm with the default admin account.

I tried whitelist to troubleshoot but its not effective.

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

davebrooking — Tue, 29 Sep 2020 10:06:42 GMT

If you search for index=_internal, do you see any events from the host? If not look at the logs on the forwarder, these will be in %SPLUNK_HOME%\var\log\splunk. Two useful ones to start with are the splunkd.log and the metrics.log.

Do you see errors in the splunkd.log?

Do you see any records in the metrics.log where group=per_index_thruput, series="FTP_logs_2"?

Dave

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Tue, 29 Sep 2020 10:09:02 GMT

Actually, I do, with the filter "index=_internal host=name1".

I did not see errors in splunkd.log on the forwarder.

I see records like this one on metrics.log :
"07-07-2016 10:59:23.448 +0200 INFO Metrics - group=per_index_thruput, series="ftp_logs_2", kbps=1.134435, eps=1.290304, kb=35.167969, ev=40, avg_age=375332.150000, max_age=1073997"

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

davebrooking — Thu, 07 Jul 2016 10:35:06 GMT

OK, the mettrics.log events indicate that the file is being monitored. The search indicates that the forwarder is sending events to the indexer as expected.

If you enter the search

index=FTP_logs_2

do you see any events?

Dave

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Tue, 29 Sep 2020 10:09:07 GMT

I do. It's the only way I founded to retrieve data from this input.
At this step, filter is "index=FTP_logs_2".

If I add "host=name1" in order to obtain "index=FTP_logs_2 host=name1" as a filter, I get the same results. But if I only add "host=name1", I do not obtain results. Don't know if this helps.

Thanks !

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

davebrooking — Tue, 29 Sep 2020 10:10:17 GMT

By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.

However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data

Dave

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Thu, 07 Jul 2016 12:39:40 GMT

Indeed ! It works !

Thank you all !

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Richfez — Thu, 07 Jul 2016 13:10:32 GMT

From a cmd prompt, run

C:\Program Files\SplunkUniversalForwarder\bin\splunk list forward-server

Or also from cmd
change to drive C: if it isn't already.
cd into \Program Files\SplunkUniversalForwarder\bin
type splunk list forward-server

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Fri, 08 Jul 2016 11:32:09 GMT

Guys,

I noticed just one thing : my host name1 is still not on the host list in the Data summary. Any ideas ?

Thanks a lot

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

ryanoconnor — Fri, 08 Jul 2016 22:27:20 GMT

Is the index that your host is in set to be searched by default in Your user's role?

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

kemmlli — Mon, 11 Jul 2016 08:14:34 GMT

It was not, now it's ok !

Thanks again guys !