Archive
Highlighted

Receiver not receiving data from universal forwarder

New Member

Hi,

I'm trying to congfigure a forwarder and the receiver doesn't get any data. Please help.

Forwarder's outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = vm1.sandbox:9997

[tcpout-server://vm1.sandbox:9997]

That was configured using splunk add forward-server command.

Below is the Receivers inputs.conf (configured via Splunk Web>Manager>Forwarding and receiving menu)

[splunktcp://9997]
connection_host = ip

Totally a newbie and trying to understand how these components work.

Thanks!

0 Karma
Highlighted

Re: Receiver not receiving data from universal forwarder

Legend

Did you configure inputs on the forwarder?

0 Karma
Highlighted

Re: Receiver not receiving data from universal forwarder

Splunk Employee
Splunk Employee

What is in your inputs.conf file on the forwarder?

0 Karma
Highlighted

Re: Receiver not receiving data from universal forwarder

New Member

The following is what's on my inputs.conf in the forwarder:

[monitor:///opt/app/oracle/diag/rdbms/vm2db/vm2db/trace]

And yes, splunk user has permissions on those directories.

0 Karma
Highlighted

Re: Receiver not receiving data from universal forwarder

Legend

Here is a great article on the Splunk wiki: Troubleshooting Monitor Inputs
i suggest that you skip the first part of the page on setting DEBUG mode, as the other suggestions on the page are generally both easier and more useful.

And as a very first step, I would log onto the forwarder and give the following command

splunk list monitor

which will tell you which files Splunk is reading. A quick peek at splunkd.log may be helpful, too; you can even search it with the following command:

index=_internal source=*splunkd.log
Highlighted

Re: Receiver not receiving data from universal forwarder

New Member

thank you for your help!

0 Karma
Highlighted

Re: Receiver not receiving data from universal forwarder

New Member

not sure what happened but I started seeing the logs after rebooting the server. here's the output of spunk list monitor command

Monitored Directories:
$SPLUNKHOME/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/audit.log
/opt/app/splunkforwarder/var/log/splunk/first
install.log
/opt/app/splunkforwarder/var/log/splunk/licenseaudit.log
/opt/app/splunkforwarder/var/log/splunk/license
usage.log
/opt/app/splunkforwarder/var/log/splunk/metrics.log
/opt/app/splunkforwarder/var/log/splunk/scheduler.log
/opt/app/splunkforwarder/var/log/splunk/searchhistory.log
/opt/app/splunkforwarder/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/splunkdaccess.log
/opt/app/splunkforwarder/var/log/splunk/splunkd
stderr.log
/opt/app/splunkforwarder/var/log/splunk/splunkdstdout.log
$SPLUNK
HOME/var/spool/splunk/...stashnew
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/alert
vm2db.log
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbdbrm18753.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbdbrm18753.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbj00118973.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbj00118973.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbmmon18771.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbmmon18771.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbvkrm18831.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbvkrm18831.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbvktm18745.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2dbvktm18745.trm
Monitored Files:
$SPLUNK_HOME/etc/splunk.version

0 Karma