Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Few forwarders not sending data

Vetrikmr
New Member
‎12-14-2017 10:41 AM

Hey everyone, I have installed UF agents in 180 servers and i have seen the data coming to splunk yesterday. But now i have noticed three of them are not sending data, I mean i am seeing 177 hosts in splunk. So how can we find out what are those three UF's which is not sending data. I have configured all these using Deployment server. Same index and same sourcetype. And is there a way that we can get alerts when the forwarder stops sending data or gets any issue? I am using splunk 6.3. Thank you

0 Karma
Reply

adonio
Ultra Champion
‎12-14-2017 01:37 PM

hello there,

when you say "not sending data" do you mean to the regular indexes or to _internal index?
try this to find out how many distinct forwarders are out there and who sends to _internal but does not send "data": 

| tstats dc(host) as unique values(host) as hosts where index=_*
| mvexpand hosts
| appendcols [ | tstats values(host) as data_hosts where index=*]
| eval match = if(hosts=data_hosts,1,0)
| where match=0

if you have only 177 distinct forwarders, then you will probably will have to manuallt figure out where are the other 3.
if you have 180 sends to _internal then it means that those unique 3 either have wrong inputs on them or there is no data generated.

hope it helps

0 Karma
Reply

cboillot
Contributor
‎02-16-2018 08:11 AM

I am not sure what this search is doing. I went line by line and was following up until I got to line 3. Line three adds a field with all the host, but just for the first entry, as least it does when I run them. From here, only the all 500+ host would still be listed at step five, except for the first one.

Is there something I am missing?

what I did get to work, or it seems like it works, is this:

| tstats dc(host) as unique values(host) as hosts where index=_*
| appendcols [ | tstats values(host) as data_hosts where index=*]
| mvexpand hosts
| eval match = if(hosts=data_hosts,1,0)
| where match=0

0 Karma
Reply

somesoni2
Revered Legend
‎12-14-2017 01:29 PM

See this
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...