All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see which indexes is reciving log from certain forwarder?

anshuman19
Explorer
‎02-07-2018 09:49 PM

I have set index=new in inputs.conf file in forwarder but my new have no logs so I think its going to some where else when I check other indexes like main internal its shows some log .So how to configure the forwarder so it send to right indexer.
I installed splunk add-on on 29/1/2018 form that date Index=os is not receiving any thing and when I run setup.sh and try to enable inputs its send me message "enable failed". I think the both problem are related some how , can anyone help me in this

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-08-2018 06:46 AM

Hi anshuman19,
if you're speaking of Universal Forwarders, you have to troubleshoot data ingestion (see https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Troubleshoottheuniversalforwarder ).

Anyway, the first thing is to check on Forwarder:

  • if connection is open, using telnet indexer_address 9997 and telnet deployment_server_address 8089;
  • $SPLUNK_HOME/etc/system/local/deploymentclient.conf and verify if it's configured your Deployment Server;
  • $SPLUNK_HOME/etc/system/local/outputs.conf and check if your Indexes are correctly addressed;
  • $SPLUNK_HOME/etc/system/local/server.conf and inputs.conf and check what's the hostname and if there are more Forwarders with the same name.

After on indexer you can check on _internal if you're receiving logs:

index=_internal host=your_forwarder_hostname

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-08-2018 06:46 AM

Hi anshuman19,
if you're speaking of Universal Forwarders, you have to troubleshoot data ingestion (see https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Troubleshoottheuniversalforwarder ).

Anyway, the first thing is to check on Forwarder:

  • if connection is open, using telnet indexer_address 9997 and telnet deployment_server_address 8089;
  • $SPLUNK_HOME/etc/system/local/deploymentclient.conf and verify if it's configured your Deployment Server;
  • $SPLUNK_HOME/etc/system/local/outputs.conf and check if your Indexes are correctly addressed;
  • $SPLUNK_HOME/etc/system/local/server.conf and inputs.conf and check what's the hostname and if there are more Forwarders with the same name.

After on indexer you can check on _internal if you're receiving logs:

index=_internal host=your_forwarder_hostname

Bye.
Giuseppe

Reply
Solved! Jump to solution

DUThibault
Contributor
‎02-08-2018 06:33 AM

I'd first check to make sure the forwarder is registered with the indexer. Does it show up in Settings: (Distributed environment) Forwarder management? Next check what is being watched by the forwarder. Check if the 'new' index exists ( Settings: (Data) Indexes).

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros?Join  Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...