- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have one Linux indexer and 2 Linux forwarders. I just moved my indexer to a new server and have everything set up again. I changed the receiving server in both of my forwarders in /opt/splunkforwarder/etc/system/local/outputs.conf to point to the new IP address.
In the Deployment monitor app, I see both forwarders and it looks like data is coming in from both of them. But, when I look in the search app, it is not showing data coming from one of the forwarders under hosts. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer. Grr..
I had a extra space between a ":" and the IP address of the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer. Grr..
I had a extra space between a ":" and the IP address of the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is being repeated in the splunkd.log on the forwarder:
06-05-2012 14:22:35.044 -0400 ERROR pipeline - Runtime exception in pipeline: parsing, processor: tcp-output-light-forwarder, error: vector::_M_range_check
06-05-2012 14:22:35.044 -0400 ERROR splunklogger - Uncaught exception in pipeline execution (tcp-output-light-forwarder) - getting next event
index="_internal" source="/Applications/Splunk/splunk/var/log/splunk/splunkd.log" shows 0 results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you seeing anything in your splunkd log?
or in the UI via this search
index="_internal" source="/Applications/Splunk/splunk/var/log/splunk/splunkd.log"
