Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarder losing data when forwarding data from HTTP Event Collector

simpkins1958
Contributor
‎08-24-2017 01:05 PM

We are developing Splunk dashboards. We have a Splunk enterprise server that is receiving HTTP event collector data form our clients. We have setup the server that receives the HEC information as a Heavy Forwarder that indexes locally and then forwards data to several other Splunk servers that we are using for development.

The servers we are forwarding to are losing events.

source=netmotion | stats count

for the same time span is returning significantly different count values. 13,089 from the splunk server receiving the HEC events, and 5,713 from the Splunk server we are forwarding to.

Why is this happening?

0 Karma
Reply

simpkins1958
Contributor
‎08-25-2017 01:52 PM

We had outputs.conf configured wrong. We were auto load balancing to the three servers.

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-25-2017 01:57 PM

@simpkins1958, did that resolve the issue? If so I will close the question.

0 Karma
Reply

simpkins1958
Contributor
‎08-25-2017 02:09 PM

Yes. User error...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-25-2017 01:31 AM

Hi simpkins1958,
can you install a Forwarder on the target systems?
If you can, use a Forwarder to ingest and send logs to the Indexer, to be safer about log losing.
Bye.
Giuseppe

0 Karma
Reply

simpkins1958
Contributor
‎08-25-2017 07:52 AM

We are not getting data from log files. We are getting data from our clients through the Splunk HTTP Event Collector.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-26-2017 12:56 AM

I understand, but if you can have a forwarder on the target server you could take logs from files, so you optimize log transmission and you're safer about log losing.
Otherwise, you should check if there could be a network problem during transmission.
I usually prefer to use Forwarders than HPPT Collector for the abome reasons.
Bye.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...