Archive

SplunkForwarder not reporting\showing up on server

Engager

Hello all,

I've tried to locate an answer for this issue for the past few days with no luck. So I have decided to give it a shot here, perhaps someone ran into this issue before or at least can assist in providing assistance. Any feedback is greatly appreciated.

I am using Splunk with Dev license. Installed the forwarders on >200 Windows machines. Only about 55 are reporting back to the server. I am mainly looking in the data set > data summary > hosts to see the machines that are reporting. I am not sure why the remaining are not reporting back or showing up in the hosts list.

SplunkEnterprise Ver 7.2.6

Thank you for your time,

0 Karma

Contributor

@raphabaroudi,

Did u check the connectivity between those forwarders and the Splunk instance?

0 Karma

SplunkTrust
SplunkTrust

Try this alternative method to list your forwarders.

index=_internal group=tcpin_connections 
| stats latest(version) as version latest(arch) as arch latest(os) as os latest(fwdType) as fwdType by hostname
---
If this reply helps you, an upvote would be appreciated.

Engager

I have on several of them, and the seemed to communicate properly. I am still going through the splunkd.log to see if anything stands out.

0 Karma

Engager

Thank you for the response. I have tried the method above and it indicates the same number of forwarders as the ones shown in the data summary.

0 Karma

SplunkTrust
SplunkTrust

Then you have the correct number. The next step is to determine why the remaining forwarders are not connecting. You'll need to sign in to a server that is not reporting and examine the splunkd.log file.

---
If this reply helps you, an upvote would be appreciated.
0 Karma