I have upgraded my Splunk Enterprise 6.5.1 to 7.1.2 on a Windows 2008 R2 (https://answers.splunk.com/answers/672130/splunk-win2008r2-upgrade-65-to-71.html for my last thread).
I have enabled the TLS 1.2 support on 2008 R2 with regedit, but I didn't modify anything else as I didn't modify the alert_actions.conf and ldap.conf in my configuration.
Upgrade went well, but after that, it seems my local data inputs aren't working anymore.
Several machines are sending in FTP logs on the Splunk and I'm monitoring the folders where the pushed log files are. It's probably not the best but it worked for the last 2 years.
Files are indeed pushed on those folders but they are not processed by Splunk anymore. I do not see them in the Sources of my Data Summary.
As stated in documentation, the Windows universal forwarder installation package no longer includes the Splunk Add-on for Windows.
To be honest, I'm not sure if this is linked, so I tried to install the last universal forwarder. I wasn't able to install it : the error message is the default one from Windows (error has occurred setup has ended prematurely, your system was not updated).
Can you help me understand why my local file monitory / data inputs aren't working anymore ?
Thank you in advance for your help.
Which files would help ? I'm not skilled at all on Splunk to be honest.
The only file I checked was the splunkd.log which didn't contain anything relevant to my current problem 😞
Thanks for your answer.
No interesting error. Everything is related to snmp and was logged 4 hours ago (probably during / after the upgrade).
Even if I simplify with just index=_internal I have nothing after 9:54 (it's 14:00 here) which is the time of the upgrade I suppose.
That's not pretty, is it ?