My Cisco Indexer just stopped indexing new data. Splunk is receiving data from the Syslog server but just not getting index and so nothing is showing in the Cisco Networks apps/addon. I do have an input/output file on my syslog servers through UF that is monitoring the folder with the logs, which is not the problem since i can see current&old logs in the SH. The output is pointing to my HF which forwards the data to the Idexer. I'm running 8.0.1 with 1 server each SH, IDX, DP, HF.
I know it's not indexing cuz my indexer haven't received data for at least a day and there are no errors in the the logs.
did you ever received logs from that source?
if you received and you don't receive since 12 days, it could be a timestamp problem: you have timestamp in dd/mm/yyyy format and Splunk read it as mm/dd/yyyy, in this way you should find your logs of 12/feb/2020 on 2 dec 2020.
You can solve this problem settinf the Timestamp format in props.conf (TIME_FORMAT=%d/%m/%Y....).
if instead you never received logs, start your debug from the source: the Cisco reach the HF? you can test it using telnet or network tools.
I don't think it's a timestamp since my SH is receiving data but not saving it to the indexer. Also, ports are open cuz I can ping on them from each servers.
why do you say that SU is receiving data? data is usually received by Indexers and SHs queryto Indexers for data.
Anyway, if you have an SH tata receives data (not good!), it's a good practice that all the Splunk servers (also SHs) send their logs (usually only internal logs but eventually also others) to Indexers to have only one data repository.