Hi,
My splunk forwarder is working in-consistently and is not forwarding data regularly. When i restart the forwarder it immediately sends all the data till that time. And then does not forward it till the next restart.
Kindly advise.
It seems that some one had removed the entries from transform.conf and props.conf for my index. I updated the entries and the issue got fixed.
I have researched and found 2 possible solutions for this.
It seems that some one had removed the entries from transform.conf and props.conf for my index. I updated the entries and the issue got fixed.
Check $SPLUNK_HOME/var/log/splunkd.log
on the forwarder - or in Splunk if it managed to forward it - for any messages.
I have seen this happen because the forwarder is sorting through too many directories and files If you have inputs.conf
like this:
[monitor:///somedir/logs/]
index=myindex
sourcetype=mysourcetype
You need to add this stuff, too, to limit the number of files that Splunk has to examine and the number of directories it has to traverse:
recursive = false
whitelist = *.log
blacklist = *badfile*.log
Also if you are using /.../
in the path of the stanza header, try to be more explicit, even if all you can do is change to /*/