Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Forwarder do not send all data

clementros
Path Finder
‎03-12-2020 06:07 AM

Hi,

I have installed splunk forwarder 8.0.2 to send data to the splunk entreprise 7.3.0.

All day, multiple .err files are created on my client server. I want to monitor all of them. Sometimes .err files are empty, sometimes they are small heavy and sometimes they are very big.

In my splunk entreprise web interface i do not see all of my .err file. I can see .err files only from August 3 from October 23. Where is other files for today and other days ?

I had some crc length errors. Know i use the parameter crcSalt = <SOURCE>

Here is my inputs.conf : 

[monitor:///prddata/JobOutput/*/*.err]
index=fileauxnfmerrorlogs
sourcetype=fcravd10logfile
crcSalt = <SOURCE>

Here is my outputs.conf:

[tcpout:splunkdev]
server=sapoxt3.os.amadeus.net:9997

How can i troobleshoot this ?

Regards,

0 Karma
Reply

kartm2020
Communicator
‎03-12-2020 06:22 AM

Hi @clementros

It is always recommended to install the same version in both indexers and forwarders. However the issue is with crclength. So you need to increase the initcrclength attribute value 512 or 1024. Try it first 512 if it doesnt works try with 1024. Increase the value by 256.
Default value of inicrclength is 256

[monitor:///prddata/JobOutput//.err]
index=fileauxnfmerrorlogs
sourcetype=fcravd10logfile
initCrcLength = 1024

Hope it works. Let me know if you are facing error after you did the above changes.

You can also go through the below link.
https://docs.splunk.com/Documentation/Splunk/8.0.2/Data/Howlogfilerotationishandled

Happy splunking!!!

0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 06:17 AM

Just search index and see if data is there. Splunk sets sourcetype for small files to too_small.

index=fileauxnfmerrorlogs
0 Karma
Reply

clementros
Path Finder
‎03-12-2020 06:19 AM

No they are not

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2020 06:14 AM

Hi @clementros,
probably the problem is that you should always have on Indexers the same or higher release than the Forwarders.
Try to install the same version or upgrade (if possible) the Indexer.
For more infos see at https://docs.splunk.com/Documentation/Forwarder/8.0.2/Forwarder/Compatibilitybetweenforwardersandind...

Ciao.
Giuseppe

Reply

clementros
Path Finder
‎03-12-2020 06:18 AM

Is my license need to be change or the license is independent from the version ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-12-2020 06:21 AM

Hi @clementros,
License is indipendent by the version.
beware, if you want to upgrade to 8, because the last version is really different and you, before upgrading, have to check apps compatibility.

Ciao.
Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...