Getting Data In

Forwarded events are showing on CLI output during CLI search operation.

sivakumar_inbox
Engager

I had configured splunk forwarder and receiver in a Linux system as per the Admin manual. I tried searching the forwarded events in the CLI screen using "host" flag. The search returns no data in the CLI. What should I do to get the events in the receiver server? Can you please help?

Tags (1)

Simeon
Splunk Employee
Splunk Employee

You should be searching based on the host value you specified for the input data. The above metrics.log event only confirms that data has been sent, and there is only a very small amount (5k). Typically, you can search for your data based on the host, source, or sourcetype. So utilizing a wildcarded search with the source name (timerange over all-time) might be a way to find your data. Another possibility is that your events are so small that Splunk has not filled the buffer queue. In that case, you should try sending a complete log file.

0 Karma

sivakumar_inbox
Engager

I can see the events in the metrics.log. I am not understanding why the search results are not shown in the CLI output? Below is the output of metrics.log on receiver server.

04-22-2010 19:23:37.048 INFO Metrics - group=tcpin_connections, 192.168.1.200:32945:9997, connectionType=cooked, sourcePort=32945, sourceHost=192.168.1.200, sourceIp=192.168.1.200, destPort=9997, _tcp_Bps=6.39, _tcp_KBps=0.01, _tcp_avg_thruput=0.02, _tcp_Kprocessed=5.00, _tcp_eps=0.03

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...