Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Disappearing data from forwarders when using deployment server

sf_user_199
Path Finder
‎08-25-2010 08:06 PM

I have a problem with some of my forwarders, and it has me pretty well stumped.

I have a pool of 10 app servers running light forwarders. The LF are reading & forwarding apache access log data. The LF all send their data to the same splunk instance that is functioning as an intermediate forwarder. That intermediate forwarder then sends the data to our only indexer, and does not do any indexing itself.

All 10 light forwarders were setup at the same time, and are controlled by the same deployment server. When watching the various splunk logs on the intermediate forwarder, it appears that the intermediate forwarder is receiving data from all 10 light forwarders.

However, the indexer is only indexing the data from 5 of the LF. The data just seems to disappear.

Any suggestions?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sf_user_199
Path Finder
‎10-28-2010 08:10 PM

As it turns out, some of the light forwarders assigned themselves a host name that did not match the name of the host that the light forwarder was installed on. My assumption is that there is a problem on the host as a result of the server build process.

Removing the incorrect hostname from the .conf files & restarting the light forwarders fixed the issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sf_user_199
Path Finder
‎10-28-2010 08:10 PM

As it turns out, some of the light forwarders assigned themselves a host name that did not match the name of the host that the light forwarder was installed on. My assumption is that there is a problem on the host as a result of the server build process.

Removing the incorrect hostname from the .conf files & restarting the light forwarders fixed the issue.

0 Karma
Reply
Solved! Jump to solution

sf_user_199
Path Finder
‎08-30-2010 07:35 PM

I wish it was that simple. I checked the file input status page, and the Splunk LF's are able to read the file.

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎08-29-2010 12:54 PM

We once had a similar problem - until we found, that splunk had no access to the log files on one part of our servers

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...