https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264790#M79518 <P>@Frederik,</P> <P>Let's say you have 5 machines that you want to collect xyz.log (which exists on all 5 hosts)<BR /> 1. You need to have forwarders on all 5 hosts<BR /> 2. On each of the 5 hosts, in inputs.conf under $SPLUNK_HOME/etc/system/local directory, host should be FQDN of that particular machine (eg, on host1, it would be host=host1) next is your monitor/batch (read inputs.conf from docs) should point to the actual log location on that host.<BR /> 3. outputs.conf , since all these 5 hosts are sending to the same splunk (assumption) they can be pretty much be same on all 5 hosts. This is the typical process configuring a forwarder. </P> <P>With the little information provided, we can only assume what might be wrong, example.<BR /> 1. As one of the answers suggested, is forwarder service up and running on all the hosts?<BR /> 2. What user is your splunk forwarder running as? Does that user have Read access to the log file you are trying to consume?<BR /> 3. Have you checked the connectivity from all the data sources/hosts to Central splunk instance? telnet central splunk's ip 9997? <BR /> 4. Is it NAT'd or probably firewall is blocking the communication? Completely different issue </P> <P>What can be done is, go to the splunkd.log on the machines that are not forwarding logs (Located under $SPLUNK_HOME/var/log/ and do a tail -f splunkd.log) see any ERRORS and abnormal stuff? If yes, that would be the first step of your triage.</P> <P>For more accurate answers, please provide more information and ERRORS if any from your splunkd.log. Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Wed, 20 Jul 2016 02:24:10 GMT Raghav2384 2016-07-20T02:24:10Z https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264787#M79515 <P>Sorry but this is probably a stupid question. I have set up Splunk to be able to have centralized collection of all the event logs from my servers. Now that I have installed all the agents, I cannot seem to search all the machines' event logs. I put in host=MYSERVERNAME and there are several machines that do not return anything.</P> <P>Does the agent need to have an app deployed to collect event logs?</P> Tue, 19 Jul 2016 08:36:01 GMT https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264787#M79515 Frederik 2016-07-19T08:36:01Z https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264788#M79516 <P>Can you verify that the Splunk forwarder is running on the host machines you installed it on? You can do this by going into <CODE>Splunk_Home/bin</CODE> and run <CODE>./splunk status</CODE></P> <P>Also, you will need to go into <CODE>Splunk_Home/etc/system/local</CODE> and edited the <CODE>outputs.conf</CODE> and make sure it's pointing to your indexer </P> Tue, 19 Jul 2016 14:39:52 GMT https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264788#M79516 skoelpin 2016-07-19T14:39:52Z https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264789#M79517 <P>The "official" documentation at <A href="https://docs.splunk.com/Documentation/Splunk/6.4.1/Troubleshooting/Cantfinddata">I can't find my data!</A></P> Wed, 20 Jul 2016 02:08:20 GMT https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264789#M79517 ddrillic 2016-07-20T02:08:20Z https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264790#M79518 <P>@Frederik,</P> <P>Let's say you have 5 machines that you want to collect xyz.log (which exists on all 5 hosts)<BR /> 1. You need to have forwarders on all 5 hosts<BR /> 2. On each of the 5 hosts, in inputs.conf under $SPLUNK_HOME/etc/system/local directory, host should be FQDN of that particular machine (eg, on host1, it would be host=host1) next is your monitor/batch (read inputs.conf from docs) should point to the actual log location on that host.<BR /> 3. outputs.conf , since all these 5 hosts are sending to the same splunk (assumption) they can be pretty much be same on all 5 hosts. This is the typical process configuring a forwarder. </P> <P>With the little information provided, we can only assume what might be wrong, example.<BR /> 1. As one of the answers suggested, is forwarder service up and running on all the hosts?<BR /> 2. What user is your splunk forwarder running as? Does that user have Read access to the log file you are trying to consume?<BR /> 3. Have you checked the connectivity from all the data sources/hosts to Central splunk instance? telnet central splunk's ip 9997? <BR /> 4. Is it NAT'd or probably firewall is blocking the communication? Completely different issue </P> <P>What can be done is, go to the splunkd.log on the machines that are not forwarding logs (Located under $SPLUNK_HOME/var/log/ and do a tail -f splunkd.log) see any ERRORS and abnormal stuff? If yes, that would be the first step of your triage.</P> <P>For more accurate answers, please provide more information and ERRORS if any from your splunkd.log. Hope this helps!</P> <P>Thanks,<BR /> Raghav</P> Wed, 20 Jul 2016 02:24:10 GMT https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264790#M79518 Raghav2384 2016-07-20T02:24:10Z https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264791#M79519 <P>Well written @Raghav2384</P> Wed, 20 Jul 2016 13:52:52 GMT https://community.splunk.com/t5/Splunk-Search/I-have-installed-the-Splunk-forwarder-but-why-am-I-unable-to/m-p/264791#M79519 skoelpin 2016-07-20T13:52:52Z