- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- Re: No Data input following 7.1.2 upgrade on 2008 ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Data input following 7.1.2 upgrade on 2008 server
Hello,
I have upgraded my Splunk Enterprise 6.5.1 to 7.1.2 on a Windows 2008 R2 (https://answers.splunk.com/answers/672130/splunk-win2008r2-upgrade-65-to-71.html for my last thread).
I have enabled the TLS 1.2 support on 2008 R2 with regedit, but I didn't modify anything else as I didn't modify the alert_actions.conf and ldap.conf in my configuration.
Upgrade went well, but after that, it seems my local data inputs aren't working anymore.
Several machines are sending in FTP logs on the Splunk and I'm monitoring the folders where the pushed log files are. It's probably not the best but it worked for the last 2 years.
Files are indeed pushed on those folders but they are not processed by Splunk anymore. I do not see them in the Sources of my Data Summary.
As stated in documentation, the Windows universal forwarder installation package no longer includes the Splunk Add-on for Windows.
To be honest, I'm not sure if this is linked, so I tried to install the last universal forwarder. I wasn't able to install it : the error message is the default one from Windows (error has occurred setup has ended prematurely, your system was not updated).
Can you help me understand why my local file monitory / data inputs aren't working anymore ?
Thank you in advance for your help.
Best regards,
Quentin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@qufe,
Can you check for Errors in the internal logs and share them , so that someone can help!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Which files would help ? I'm not skilled at all on Splunk to be honest.
The only file I checked was the splunkd.log which didn't contain anything relevant to my current problem 😞
Best regards,
Quentin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can run the following search:
index=_internal log_level="ERROR" and check logs related to the data input.See if you get some details.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
No interesting error. Everything is related to snmp and was logged 4 hours ago (probably during / after the upgrade).
Even if I simplify with just index=_internal I have nothing after 9:54 (it's 14:00 here) which is the time of the upgrade I suppose.
That's not pretty, is it ?
Best regards,
Quentin
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
