Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarder instance is not showing in indexer monitor console

722624
Path Finder
‎07-10-2017 02:06 AM

I have setup a universal forwarder to an Indexer. I have done below configurations, but the forwarder instance is not showing in monitoring console,
giving a messge 'search produced no result'

Indexer & searchhead (same server)

input.conf
[splunktcp://9997]
disabled = 0
connection_host = ip

restarted indexer

Forwarder

output.conf

[tcpout:rh_det]
server = 10.172.96.72:9997

[tcpout-server://10.172.96.72:9997]

input.conf

[monitor://opt/scripts/rh.txt]
disabled = false
recursive = true
index=rhsub
_TCP_ROUTING = rh_det

restarted forwarder

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-10-2017 02:17 AM

Hi 722624,
at first verify that route between forwarder and Indexer is open using telnet from forwarder:

telnet 10.172.96.72 9997

After try to verify if Splunk Forwarder's logs arrive to Indexer running this search on Indexer:

index=_internal host=your_hostname

if there aren't still logs, verify hostname in Splunk Forwarder:
in $SPLUNK_HOME/etc/system/local/inputs.conf there must be a stanza like this

[default]
host = your_hostname

in $SPLUNK_HOME/etc/system/local/server.conf there must be a stanza like this

[general]
serverName = your_hostname

See at:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/IntrototroubleshootingSplunk
https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Bye.
Giuseppe

0 Karma
Reply

722624
Path Finder
‎07-13-2017 09:55 PM

Hi Giuseppe...
Thank you for your response...Sorry for my late reply.. (Actually I am stuck for the past 3 days with another issue..a requirement .....that entire log file should come as a single event...which is not working )

I have done all the steps mentioned by you, I am getting the data to indexer, I have rebuild the forwarders..
still in monitoring console the forwarders are not appearing

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-13-2017 11:57 PM

if you verified that you're reciving logs from the forwarder, did you tried to rebuild the forwarders lookup?
Bye.
Giuseppe

0 Karma
Reply

722624
Path Finder
‎07-14-2017 02:11 AM

yes..I have rebuilt

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-14-2017 05:04 AM

Hi 722624,
I don't know other tests, the only one is to check again hostname on forwarder, are you sure that it's correct? could it be the same of another forwarder.

to debug your configuration, try to run on forwarder command

/opt/splunk/bin/splunk cmd btool output list --debug

eventually forwarding output in a text file to see if there is a misconfiguration or other configurations that you don't know.

Watching you inputs.conf I saw an error: on *nix forwarders, in the first row you have to insert three slashes (/) and not two.
in addition, why in your inputs.conf you use _TCP_ROUTING = rh_det if you have only one indexer in your outputs.conf?

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...