Getting Data In

Forwarder is active - indexer no data

Path Finder

Forgive me for bringing this up. The problem is forwarding and receiving.
At one time I had this working. Now, nothing works.
I have a universal forwarder installed on a red hat linux ver 7.6 server.
The outputs file is:
[tcpout]
defaultGroup=net_files
[tcpout:net_idx]
server=10.48.11.67:9997

the list forwarder command indicates these values as active forwards
I have my indexer set to "listen" on data input: "Local Inputs" - TCP, and port 9997
With this configuration I get only "cooked" data - no data from the files I am monitoring
These files show correctly in the "splunk list monitor" cli command on the universal forwarder

The inputs.conf file on receiver/indexer:
[default]
[splunktcp://9997]
disabled = 0

I have restarted the forwarder,indexer, and syslog-ng (which forwards the data)
One of the files I monitor is updated every 30 sec or so, so that data should be transferred to the indexer, it is not.

Do you have any idea on how to resolve this issue? I am baffled as a week ago it was all working fine.
The only change I tried was forwarding the same data to a different indexer.

I am open to suggestions,
Thanks,
Eholz1

0 Karma
1 Solution

Path Finder

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

View solution in original post

0 Karma

Path Finder

Check your internal logs for any errors in TcpOutputProc on forwarders and TcpInputProc on indexers.

I suspect the issue is in your outputs stanza. Try changing the net_files to net_idx.

View solution in original post

0 Karma

Path Finder

Hello and thanks for the reply

I checked the logs but found no problems there.
I changed the outputs.conf per your suggestion, restarted the forwarder, and indexer, but
no luck.

any other suggestions?

thanks again

eholz1

0 Karma

Path Finder

I’m guessing that solved your problem since you accepted my answer. If not, check this out: https://answers.splunk.com/answers/696093/what-are-the-basic-troubleshooting-steps-in-case-o.html

0 Karma

Path Finder

Yes, but thanks for the link above, it is very helpful

eholz1

0 Karma