All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Unix Forwarder Not Showing In Deployment Monitor

AaronMoorcroft
Communicator
‎04-24-2013 08:26 AM

Hi Guys

I work in a huge enviroment and one of the Unix guys has installed a forwarder on there Unix box, I'm assuured that the installation was succesful and I have to take that as gospel at the moment, my question is should I expect to see a Unix forwarder in the Deployment manager app ?

Is there a serch and can put into Splunk to find the Unix forwarder ? the funny thing is Im able to search the host name of where this forwarder has been installed and logs are found but there found from a while back up until now, the forwarder was only installed a few hours ago so Splunk is getting this information from somewhere else by the look of it.

Any Ideas ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎04-24-2013 12:11 PM

Hi Aaron,

Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:

index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host

Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.

Thanks,

Michael

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎04-24-2013 12:11 PM

Hi Aaron,

Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:

index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host

Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.

Thanks,

Michael

0 Karma
Reply
Solved! Jump to solution

matt
Splunk Employee
Splunk Employee
‎04-24-2013 09:00 AM

If the forwarder was configured to index /var/log/messages/ then it probably just indexed the archived log files.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...