I have setup a universal forwarder to an Indexer. I have done below configurations, but the forwarder instance is not showing in monitoring console,
giving a messge 'search produced no result'
Indexer & searchhead (same server)
disabled = 0
connection_host = ip
server = 10.172.96.72:9997
disabled = false
recursive = true
TCPROUTING = rh_det
at first verify that route between forwarder and Indexer is open using telnet from forwarder:
telnet 10.172.96.72 9997
After try to verify if Splunk Forwarder's logs arrive to Indexer running this search on Indexer:
if there aren't still logs, verify hostname in Splunk Forwarder:
in $SPLUNK_HOME/etc/system/local/inputs.conf there must be a stanza like this
[default] host = your_hostname
in $SPLUNK_HOME/etc/system/local/server.conf there must be a stanza like this
[general] serverName = your_hostname
Thank you for your response...Sorry for my late reply.. (Actually I am stuck for the past 3 days with another issue..a requirement .....that entire log file should come as a single event...which is not working )
I have done all the steps mentioned by you, I am getting the data to indexer, I have rebuild the forwarders..
still in monitoring console the forwarders are not appearing
I don't know other tests, the only one is to check again hostname on forwarder, are you sure that it's correct? could it be the same of another forwarder.
to debug your configuration, try to run on forwarder command
/opt/splunk/bin/splunk cmd btool output list --debug
eventually forwarding output in a text file to see if there is a misconfiguration or other configurations that you don't know.
Watching you inputs.conf I saw an error: on *nix forwarders, in the first row you have to insert three slashes (/) and not two.
in addition, why in your inputs.conf you use
_TCP_ROUTING = rh_det if you have only one indexer in your outputs.conf?