Splunk Enterprise

Receiver not receiving data from universal forwarder

easedilctl
New Member

Hi,

I'm trying to congfigure a forwarder and the receiver doesn't get any data. Please help.

Forwarder's outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = vm1.sandbox:9997

[tcpout-server://vm1.sandbox:9997]

That was configured using splunk add forward-server command.

Below is the Receivers inputs.conf (configured via Splunk Web>Manager>Forwarding and receiving menu)

[splunktcp://9997]
connection_host = ip

Totally a newbie and trying to understand how these components work.

Thanks!

0 Karma

easedilctl
New Member

not sure what happened but I started seeing the logs after rebooting the server. here's the output of spunk list monitor command

Monitored Directories:
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/audit.log
/opt/app/splunkforwarder/var/log/splunk/first_install.log
/opt/app/splunkforwarder/var/log/splunk/license_audit.log
/opt/app/splunkforwarder/var/log/splunk/license_usage.log
/opt/app/splunkforwarder/var/log/splunk/metrics.log
/opt/app/splunkforwarder/var/log/splunk/scheduler.log
/opt/app/splunkforwarder/var/log/splunk/searchhistory.log
/opt/app/splunkforwarder/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_access.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stderr.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stdout.log
$SPLUNK_HOME/var/spool/splunk/...stash_new
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/alert_vm2db.log
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trm
Monitored Files:
$SPLUNK_HOME/etc/splunk.version

0 Karma

lguinn2
Legend

Here is a great article on the Splunk wiki: Troubleshooting Monitor Inputs
i suggest that you skip the first part of the page on setting DEBUG mode, as the other suggestions on the page are generally both easier and more useful.

And as a very first step, I would log onto the forwarder and give the following command

splunk list monitor

which will tell you which files Splunk is reading. A quick peek at splunkd.log may be helpful, too; you can even search it with the following command:

index=_internal source=*splunkd.log

easedilctl
New Member

thank you for your help!

0 Karma

easedilctl
New Member

The following is what's on my inputs.conf in the forwarder:

[monitor:///opt/app/oracle/diag/rdbms/vm2db/vm2db/trace]

And yes, splunk user has permissions on those directories.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

What is in your inputs.conf file on the forwarder?

0 Karma

Ayn
Legend

Did you configure inputs on the forwarder?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...