Getting Data In

Forwarder is active - indexer no data

eholz1
Contributor

Forgive me for bringing this up. The problem is forwarding and receiving.
At one time I had this working. Now, nothing works.
I have a universal forwarder installed on a red hat linux ver 7.6 server.
The outputs file is:
[tcpout]
defaultGroup=net_files
[tcpout:net_idx]
server=10.48.11.67:9997

the list forwarder command indicates these values as active forwards
I have my indexer set to "listen" on data input: "Local Inputs" - TCP, and port 9997
With this configuration I get only "cooked" data - no data from the files I am monitoring
These files show correctly in the "splunk list monitor" cli command on the universal forwarder

The inputs.conf file on receiver/indexer:
[default]
[splunktcp://9997]
disabled = 0

I have restarted the forwarder,indexer, and syslog-ng (which forwards the data)
One of the files I monitor is updated every 30 sec or so, so that data should be transferred to the indexer, it is not.

Do you have any idea on how to resolve this issue? I am baffled as a week ago it was all working fine.
The only change I tried was forwarding the same data to a different indexer.

I am open to suggestions,
Thanks,
Eholz1

0 Karma
1 Solution

alanzchan
Path Finder

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

View solution in original post

0 Karma

alanzchan
Path Finder

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

0 Karma

eholz1
Contributor

Hello and thanks for the reply

I checked the logs but found no problems there.
I changed the outputs.conf per your suggestion, restarted the forwarder, and indexer, but
no luck.

any other suggestions?

thanks again

eholz1

0 Karma

alanzchan
Path Finder

I’m guessing that solved your problem since you accepted my answer. If not, check this out: https://answers.splunk.com/answers/696093/what-are-the-basic-troubleshooting-steps-in-case-o.html

0 Karma

eholz1
Contributor

Yes, but thanks for the link above, it is very helpful

eholz1

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...