Getting Data In

How to confirm logs are forwarded from Universal forwarder ?

splunker12er
Motivator

Temporarily I dont have access to search head.
I had set the inputs.conf to forward windows eventlogs to Splunk indexer.
How do i confirm that my logs are forwarded to Splunk indexer from Universal forwarder?

I tested this :

> splunk list forward-server
Splunk username: admin
Password:*****
Active forwards:
        10.xxx.xxx.xxx:9997
Configured but inactive forwards:
        None

SO , from this can i confirm logs are forwarded successfully ?

0 Karma

HiroshiSatoh
Champion

How is it that checks by splunkd.log?
(ex)
05-14-2014 16:09:29.463 +0900 INFO TcpOutputProc - Connected to idx=10.XXX.XXX.XXX:9997

0 Karma

MuS
Legend

This tells you that your forwarder is connect to an indexer, but not if anything was sent.... check out this blog post about last christmas http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

splunker12er
Motivator

05-16-2014 05:46:44.140 +0000 INFO TcpOutputProc - Connected to idx=10.xxx.xxx.xxx:9997

Yes , it shows the above

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...