Solved: Re: Forwarder not indexing

rcovert · ‎06-05-2012

I have one Linux indexer and 2 Linux forwarders. I just moved my indexer to a new server and have everything set up again. I changed the receiving server in both of my forwarders in /opt/splunkforwarder/etc/system/local/outputs.conf to point to the new IP address.

In the Deployment monitor app, I see both forwarders and it looks like data is coming in from both of them. But, when I look in the search app, it is not showing data coming from one of the forwarders under hosts. Any ideas?

rcovert · ‎06-05-2012

I found the answer. Grr..

I had a extra space between a ":" and the IP address of the indexer.

View solution in original post

rcovert · ‎06-05-2012

I found the answer. Grr..

I had a extra space between a ":" and the IP address of the indexer.

rcovert · ‎06-05-2012

This is being repeated in the splunkd.log on the forwarder:

06-05-2012 14:22:35.044 -0400 ERROR pipeline - Runtime exception in pipeline: parsing, processor: tcp-output-light-forwarder, error: vector::_M_range_check
06-05-2012 14:22:35.044 -0400 ERROR splunklogger - Uncaught exception in pipeline execution (tcp-output-light-forwarder) - getting next event

index="_internal" source="/Applications/Splunk/splunk/var/log/splunk/splunkd.log" shows 0 results.

sdaniels · ‎06-05-2012

Are you seeing anything in your splunkd log?
/var/log/splunk

or in the UI via this search

index="_internal" source="/Applications/Splunk/splunk/var/log/splunk/splunkd.log"

Forwarder not indexing

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout