Archive
Highlighted

Forwarder instance is not showing in indexer monitor console

Path Finder

I have setup a universal forwarder to an Indexer. I have done below configurations, but the forwarder instance is not showing in monitoring console,
giving a messge 'search produced no result'

Indexer & searchhead (same server)

input.conf
[splunktcp://9997]
disabled = 0
connection_host = ip

restarted indexer

Forwarder

output.conf

[tcpout:rh_det]
server = 10.172.96.72:9997

[tcpout-server://10.172.96.72:9997]

input.conf

[monitor://opt/scripts/rh.txt]
disabled = false
recursive = true
index=rhsub
TCPROUTING = rh_det

restarted forwarder

Tags (1)
0 Karma
Highlighted

Re: Forwarder instance is not showing in indexer monitor console

Legend

Hi 722624,
at first verify that route between forwarder and Indexer is open using telnet from forwarder:

telnet 10.172.96.72 9997

After try to verify if Splunk Forwarder's logs arrive to Indexer running this search on Indexer:

index=_internal host=your_hostname

if there aren't still logs, verify hostname in Splunk Forwarder:
in $SPLUNK_HOME/etc/system/local/inputs.conf there must be a stanza like this

[default]
host = your_hostname

in $SPLUNK_HOME/etc/system/local/server.conf there must be a stanza like this

[general]
serverName = your_hostname

See at:
https://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/IntrototroubleshootingSplunk
https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Bye.
Giuseppe

0 Karma
Highlighted

Re: Forwarder instance is not showing in indexer monitor console

Path Finder

Hi Giuseppe...
Thank you for your response...Sorry for my late reply.. (Actually I am stuck for the past 3 days with another issue..a requirement .....that entire log file should come as a single event...which is not working )

I have done all the steps mentioned by you, I am getting the data to indexer, I have rebuild the forwarders..
still in monitoring console the forwarders are not appearing

Thank you

0 Karma
Highlighted

Re: Forwarder instance is not showing in indexer monitor console

Legend

if you verified that you're reciving logs from the forwarder, did you tried to rebuild the forwarders lookup?
Bye.
Giuseppe

0 Karma
Highlighted

Re: Forwarder instance is not showing in indexer monitor console

Path Finder

yes..I have rebuilt

0 Karma
Highlighted

Re: Forwarder instance is not showing in indexer monitor console

Legend

Hi 722624,
I don't know other tests, the only one is to check again hostname on forwarder, are you sure that it's correct? could it be the same of another forwarder.

to debug your configuration, try to run on forwarder command

/opt/splunk/bin/splunk cmd btool output list --debug

eventually forwarding output in a text file to see if there is a misconfiguration or other configurations that you don't know.

Watching you inputs.conf I saw an error: on *nix forwarders, in the first row you have to insert three slashes (/) and not two.
in addition, why in your inputs.conf you use _TCP_ROUTING = rh_det if you have only one indexer in your outputs.conf?

Bye.
Giuseppe

0 Karma