Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Forwarder is active - indexer no data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgive me for bringing this up. The problem is forwarding and receiving.
At one time I had this working. Now, nothing works.
I have a universal forwarder installed on a red hat linux ver 7.6 server.
The outputs file is:
[tcpout]
defaultGroup=net_files
[tcpout:net_idx]
server=10.48.11.67:9997
the list forwarder command indicates these values as active forwards
I have my indexer set to "listen" on data input: "Local Inputs" - TCP, and port 9997
With this configuration I get only "cooked" data - no data from the files I am monitoring
These files show correctly in the "splunk list monitor" cli command on the universal forwarder
The inputs.conf file on receiver/indexer:
[default]
[splunktcp://9997]
disabled = 0
I have restarted the forwarder,indexer, and syslog-ng (which forwards the data)
One of the files I monitor is updated every 30 sec or so, so that data should be transferred to the indexer, it is not.
Do you have any idea on how to resolve this issue? I am baffled as a week ago it was all working fine.
The only change I tried was forwarding the same data to a different indexer.
I am open to suggestions,
Thanks,
Eholz1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.
I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.
I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello and thanks for the reply
I checked the logs but found no problems there.
I changed the outputs.conf per your suggestion, restarted the forwarder, and indexer, but
no luck.
any other suggestions?
thanks again
eholz1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I’m guessing that solved your problem since you accepted my answer. If not, check this out: https://answers.splunk.com/answers/696093/what-are-the-basic-troubleshooting-steps-in-case-o.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, but thanks for the link above, it is very helpful
eholz1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
