Current setup for forwarder server is, it sends data to 2 indexes. One for the TA NIX index and the other index is being used for some log files. No data is coming for TA NIX index but for the log files index, data is coming correctly. I checked in splunkd.log and could not see any error related to TA NIX scripts.
There was some execute permission issue with one TA-NIX (cpu.sh) script and that time data was coming correctly in the corresponding index for the other scripts. I fixed the permission issue and restarted the forwarder. After that, no data is getting reported for TA NIX index.
Can you please help here how to debug this issue.
Owner and group of TA NIX application/directory was root and system. Splunk forwarder was installed with some splunk user and this user didn't have the privilege, to supersede root user to execute anything, in that directory. Owner and group changed to splunk and it worked fine.
For cpu.sh script, Splunk user was made a part of adm group on AIX server and after that, it was able to execute the sar -P ALL 1 1 command present in the script.
Note: Some of the commands present in TA NIX scripts require root privileges, make sure to install the splunk forwarder as root user. In case forwarder installed with some splunk user, need to provide the proper permissions to execute those commands.
Data will be collected under os index.
1) Did you check os index is enabled on all indexers.
2) Login to one of the forwarder and execute below command. It should pulll some results
$SPLUNK_HOME/bin/splunk btool list inputs --debug cpu
3) Execute this command
$SPLUNK_HOME/bin/splunk list inputstatus
hello there,
try and start here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata
can you share the inputs.conf on your TA-nix?
hope it helps