I have setup a universal forwarder to an Indexer. I have done below configurations, but the forwarder instance is not showing in monitoring console,
giving a messge 'search produced no result'
Indexer & searchhead (same server)
input.conf
[splunktcp://9997]
disabled = 0
connection_host = ip
Forwarder
output.conf
[tcpout:rh_det]
server = 10.172.96.72:9997
[tcpout-server://10.172.96.72:9997]
input.conf
[monitor://opt/scripts/rh.txt]
disabled = false
recursive = true
index=rhsub
_TCP_ROUTING = rh_det
restarted forwarder
Hi 722624,
at first verify that route between forwarder and Indexer is open using telnet from forwarder:
telnet 10.172.96.72 9997
After try to verify if Splunk Forwarder's logs arrive to Indexer running this search on Indexer:
index=_internal host=your_hostname
if there aren't still logs, verify hostname in Splunk Forwarder:
in $SPLUNK_HOME/etc/system/local/inputs.conf there must be a stanza like this
[default]
host = your_hostname
in $SPLUNK_HOME/etc/system/local/server.conf there must be a stanza like this
[general]
serverName = your_hostname
See at:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/IntrototroubleshootingSplunk
https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs
Bye.
Giuseppe
Hi Giuseppe...
Thank you for your response...Sorry for my late reply.. (Actually I am stuck for the past 3 days with another issue..a requirement .....that entire log file should come as a single event...which is not working )
I have done all the steps mentioned by you, I am getting the data to indexer, I have rebuild the forwarders..
still in monitoring console the forwarders are not appearing
Thank you
if you verified that you're reciving logs from the forwarder, did you tried to rebuild the forwarders lookup?
Bye.
Giuseppe
yes..I have rebuilt
Hi 722624,
I don't know other tests, the only one is to check again hostname on forwarder, are you sure that it's correct? could it be the same of another forwarder.
to debug your configuration, try to run on forwarder command
/opt/splunk/bin/splunk cmd btool output list --debug
eventually forwarding output in a text file to see if there is a misconfiguration or other configurations that you don't know.
Watching you inputs.conf I saw an error: on *nix forwarders, in the first row you have to insert three slashes (/) and not two.
in addition, why in your inputs.conf you use _TCP_ROUTING = rh_det
if you have only one indexer in your outputs.conf?
Bye.
Giuseppe