All Apps and Add-ons

How to see which indexes is reciving log from certain forwarder?

anshuman19
Explorer

I have set index=new in inputs.conf file in forwarder but my new have no logs so I think its going to some where else when I check other indexes like main internal its shows some log .So how to configure the forwarder so it send to right indexer.
I installed splunk add-on on 29/1/2018 form that date Index=os is not receiving any thing and when I run setup.sh and try to enable inputs its send me message "enable failed". I think the both problem are related some how , can anyone help me in this

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi anshuman19,
if you're speaking of Universal Forwarders, you have to troubleshoot data ingestion (see https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Troubleshoottheuniversalforwarder ).

Anyway, the first thing is to check on Forwarder:

  • if connection is open, using telnet indexer_address 9997 and telnet deployment_server_address 8089;
  • $SPLUNK_HOME/etc/system/local/deploymentclient.conf and verify if it's configured your Deployment Server;
  • $SPLUNK_HOME/etc/system/local/outputs.conf and check if your Indexes are correctly addressed;
  • $SPLUNK_HOME/etc/system/local/server.conf and inputs.conf and check what's the hostname and if there are more Forwarders with the same name.

After on indexer you can check on _internal if you're receiving logs:

index=_internal host=your_forwarder_hostname

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi anshuman19,
if you're speaking of Universal Forwarders, you have to troubleshoot data ingestion (see https://docs.splunk.com/Documentation/Forwarder/7.0.2/Forwarder/Troubleshoottheuniversalforwarder ).

Anyway, the first thing is to check on Forwarder:

  • if connection is open, using telnet indexer_address 9997 and telnet deployment_server_address 8089;
  • $SPLUNK_HOME/etc/system/local/deploymentclient.conf and verify if it's configured your Deployment Server;
  • $SPLUNK_HOME/etc/system/local/outputs.conf and check if your Indexes are correctly addressed;
  • $SPLUNK_HOME/etc/system/local/server.conf and inputs.conf and check what's the hostname and if there are more Forwarders with the same name.

After on indexer you can check on _internal if you're receiving logs:

index=_internal host=your_forwarder_hostname

Bye.
Giuseppe

DUThibault
Contributor

I'd first check to make sure the forwarder is registered with the indexer. Does it show up in Settings: (Distributed environment) Forwarder management? Next check what is being watched by the forwarder. Check if the 'new' index exists ( Settings: (Data) Indexes).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...