Deployment Architecture

Splunk forwarder not able to send data to TA-NIX index

subaldhawan
New Member

Current setup for forwarder server is, it sends data to 2 indexes. One for the TA NIX index and the other index is being used for some log files. No data is coming for TA NIX index but for the log files index, data is coming correctly. I checked in splunkd.log and could not see any error related to TA NIX scripts.

There was some execute permission issue with one TA-NIX (cpu.sh) script and that time data was coming correctly in the corresponding index for the other scripts. I fixed the permission issue and restarted the forwarder. After that, no data is getting reported for TA NIX index.

Can you please help here how to debug this issue.

Tags (1)
0 Karma

subaldhawan
New Member

Owner and group of TA NIX application/directory was root and system. Splunk forwarder was installed with some splunk user and this user didn't have the privilege, to supersede root user to execute anything, in that directory. Owner and group changed to splunk and it worked fine.

For cpu.sh script, Splunk user was made a part of adm group on AIX server and after that, it was able to execute the sar -P ALL 1 1 command present in the script.

Note: Some of the commands present in TA NIX scripts require root privileges, make sure to install the splunk forwarder as root user. In case forwarder installed with some splunk user, need to provide the proper permissions to execute those commands.

0 Karma

sbbadri
Motivator

@subaldhawan

Data will be collected under os index.

1) Did you check os index is enabled on all indexers.
2) Login to one of the forwarder and execute below command. It should pulll some results
$SPLUNK_HOME/bin/splunk btool list inputs --debug cpu
3) Execute this command
$SPLUNK_HOME/bin/splunk list inputstatus

0 Karma

adonio
Ultra Champion

hello there,
try and start here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata
can you share the inputs.conf on your TA-nix?

hope it helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...