Getting Data In

Data from forwarder arrives at the indexer but does not get indexed

chris
Motivator

Hi

I have set up a light weight forwarder that appears to be getting data to the indexer. But I can't search for any data from that forwarder in splunk.

This is what I see in the metrics.log on the indexer: 03-03-2010 17:55:25.602 INFO Metrics - group=tcpin_connections, :61464:9997, connectionType=cooked, sourcePort=61464, sourceHost=, sourceIp=, destPort=9997, _tcp_Bps=6.39, _tcp_KBps=0.01, _tcp_avg_thruput=13.09, _tcp_Kprocessed=8166.00, _tcp_eps=0.03

Is there a way to find out where the data went that arrived on the indexer?

Tags (3)
1 Solution

dskillman
Splunk Employee
Splunk Employee

Chances are you have the forwarder inputs set to use an index that doesn't exist on the indexer. Check your inputs.conf file and see what "index =". Add that index to the indexer and your data should show up.

DJ

View solution in original post

0 Karma

dskillman
Splunk Employee
Splunk Employee

Chances are you have the forwarder inputs set to use an index that doesn't exist on the indexer. Check your inputs.conf file and see what "index =". Add that index to the indexer and your data should show up.

DJ

0 Karma

chris
Motivator

The index did exist on the indexer, I reinstalled the agent among other things. I can't say what was wrong in the end. This is a list of things I check to get forwarders running: Splunk user must have read access to the files that will be monitored, Correct server configured in outputs.conf, "INFO TcpInputProc - Connection accepted from" Messages in splunkd.log on the indexer, Check for Messages in metrics.log on the indexer, Query splunk for events you expect

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...