Hi
I have some issues with my splunk enterprise installation. - I have some forwarders on redhat based hosts (with universal-forwarder) which i can see fine if using the "Deployment Monitor" app, under "All forwarders" - where it seems they are delivering data. - But when trying to search for events which originates from these hosts, no result.
Hi - yes i have a folder structure defined in inputs.conf, and i have 7 other forwarders which data shows up just fine when searched
Here is the first part of of the all_forwarders search macro definition
[forwarder_metrics]
definition = index="_internal" source="*metrics.lo*" group=tcpin_connections
If you would like to search the same events being used by the deployment monitor, make sure and specify index=_internal in your search.
Hi
As i am seeing it i'm getting data from them - the "Last Data Received" in the deployment monitor is always a few seconds ago
And the timeframe is just set to "All" - and it just returns "No results found" when searching "host="
In the splunkd.log on the forwarders i'm just seeing:
Connected to idx=
Hi maradibs, I'm sorry that you're still having trouble.
Data for the Deployment monitor goes to and only goes to the _internal index.
If you see the forwarder in the dashboard, there are definitely events for it in the _internal index
As mentioned by somesoni, the _internal index is where you will see any errors.
Make sure your time range covers an appropriate time range as it is possible that your forwarder was reporting previously but is not longer.
If you still don't see any events. Try looking directly at splunk/var/log/splunk/splunkd.log on your forwarder
Hi
Unfortionally this doesn’t work 😕
I have 7 other forwarders, configured in the exact same way which shows up in search just fine
check logs in _internal indexes from these hosts if you're getting any error.
Have you set the forwarders to monitor anything? Do you have a port open to accept the data?