Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder is active - indexer no data

eholz1
Builder
‎06-28-2019 10:35 AM

Forgive me for bringing this up. The problem is forwarding and receiving.
At one time I had this working. Now, nothing works.
I have a universal forwarder installed on a red hat linux ver 7.6 server.
The outputs file is:
[tcpout]
defaultGroup=net_files
[tcpout:net_idx]
server=10.48.11.67:9997

the list forwarder command indicates these values as active forwards
I have my indexer set to "listen" on data input: "Local Inputs" - TCP, and port 9997
With this configuration I get only "cooked" data - no data from the files I am monitoring
These files show correctly in the "splunk list monitor" cli command on the universal forwarder

The inputs.conf file on receiver/indexer:
[default]
[splunktcp://9997]
disabled = 0

I have restarted the forwarder,indexer, and syslog-ng (which forwards the data)
One of the files I monitor is updated every 30 sec or so, so that data should be transferred to the indexer, it is not.

Do you have any idea on how to resolve this issue? I am baffled as a week ago it was all working fine.
The only change I tried was forwarding the same data to a different indexer.

I am open to suggestions,
Thanks,
Eholz1

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alanzchan
Path Finder
‎06-28-2019 11:22 AM

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

alanzchan
Path Finder
‎06-28-2019 11:22 AM

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎06-28-2019 02:17 PM

Hello and thanks for the reply

I checked the logs but found no problems there.
I changed the outputs.conf per your suggestion, restarted the forwarder, and indexer, but
no luck.

any other suggestions?

thanks again

eholz1

0 Karma
Reply
Solved! Jump to solution

alanzchan
Path Finder
‎06-28-2019 04:58 PM

I’m guessing that solved your problem since you accepted my answer. If not, check this out: https://answers.splunk.com/answers/696093/what-are-the-basic-troubleshooting-steps-in-case-o.html

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎07-01-2019 10:13 AM

Yes, but thanks for the link above, it is very helpful

eholz1

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...