Getting Data In

Forwarded events are showing on CLI output during CLI search operation.

I had configured splunk forwarder and receiver in a Linux system as per the Admin manual. I tried searching the forwarded events in the CLI screen using "host" flag. The search returns no data in the CLI. What should I do to get the events in the receiver server? Can you please help?

Tags (1)

Splunk Employee
Splunk Employee

You should be searching based on the host value you specified for the input data. The above metrics.log event only confirms that data has been sent, and there is only a very small amount (5k). Typically, you can search for your data based on the host, source, or sourcetype. So utilizing a wildcarded search with the source name (timerange over all-time) might be a way to find your data. Another possibility is that your events are so small that Splunk has not filled the buffer queue. In that case, you should try sending a complete log file.

0 Karma

I can see the events in the metrics.log. I am not understanding why the search results are not shown in the CLI output? Below is the output of metrics.log on receiver server.

04-22-2010 19:23:37.048 INFO Metrics - group=tcpin_connections, 192.168.1.200:32945:9997, connectionType=cooked, sourcePort=32945, sourceHost=192.168.1.200, sourceIp=192.168.1.200, destPort=9997, _tcp_Bps=6.39, _tcp_KBps=0.01, _tcp_avg_thruput=0.02, _tcp_Kprocessed=5.00, _tcp_eps=0.03

0 Karma