Deployment Architecture

How can I check whether the data is being forwarded to indexer

pratapa
Explorer

How can I check whether the data from a server is being forwarded to indexer.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Search for the data. Look for it in the index specified in the inputs.conf file as well as in your Last Chance index ("main" or whatever you've designated), if you have one.

Another way is to look in the internal logs. Search index=_internal source=*metrics.log group=per_source_thruput and look for series field values that match your source names.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pratapa
Explorer

I am checking with the following search query whether the data is being forwarded to indexer from host1. But search query returned
No results found.

index=_internal source=*metrics.log group=per_source_thruput host=host1

How should I troubleshoot from here.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Look in the internal index for tcpin_connection events from host1. index=_internal source=*splunkd.log host=host1 tcpin_connection.

If you find nothing there then data is not being forwarded. Check the forwarder's splunkd.log ($SPLUNK_HOME/var/log/splunk/splunkd.log) for possible reasons. Check your firewalls.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...