Hello, I need to send specify log file data from HF to a specify index on peer.
bash-4.2$ more inputs.conf
[monitor:///tmp/Apache_test/Apache_Logs.txt]
_TCP_ROUTING = APCHA
index = test
bash-4.2$ more outputs.conf
[tcpout:APCHA]
server = cluser-peer.splunk.com:9997
I have already created a index in my cluser-peer.splunk.com server. index = test
After completing the set-up, when i tried to search index=test in SH or anywhere , i am getting no result.
please help me out if i am missing any thing?
Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:
[tcpout-server://cluser-peer.splunk.com:9997]
At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.
If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log
search connections to cluser-peer.splunk.com.
If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA
row in inputs.conf.
Try to insert crcSalt = <SOURCE>
in monitor stanza of inputs.conf file (and restart Splunk obviously!).
If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.
Bye.
Giuseppe
Hi Prakhar_shukla,
probably you didn't insert the full outputs.conf file so at the end there's also the following row:
[tcpout-server://cluser-peer.splunk.com:9997]
At first I'd try to use IP address instead hostname to be sure that host is correctly resolved.
If problem is still present, try to debug HF's logs:
in $SPLUNK_HOME/var/log/splunk/splunkd.log
search connections to cluser-peer.splunk.com.
If connection is correctly established test log extraction sending logs to all servers deleting _TCP_ROUTING = APCHA
row in inputs.conf.
Try to insert crcSalt = <SOURCE>
in monitor stanza of inputs.conf file (and restart Splunk obviously!).
If it continues to have no logs in your indexer, verify logs path (/tmp/Apache_test/Apache_Logs.txt) and try to modify [monitor://......] in inputs.conf using another log file.
Bye.
Giuseppe
thanks cusllo and woodcock, apart from adding the last line of the stanza, i had to enable index acknowlegment to make it work
The body-less stanza header is completely useless and unnecessary so that cannot be it. I agree with the rest of what @cusello advises, though.
Hello cusello, in search head i am getting data but it is very weird.
1) in search i can see cluster-peer2 in splunk-server in SH, i only configured cluster-peer1 for this specific log monitoring
2) it is coming via index "main" rather then index(test) i created and specified in input file
Hi,
Are you sure it's cluser ? And not cluster ?