Re: Using two forwarders and one indexer

aatik5u · ‎04-14-2022

Hello there,

I am working on VMware, I have two linux machines that I'm using as universal forwarders (ubuntu desktop and a linux server that are configured in the exact same way as forwarders). I have another linux machine that I'm using as an indexer.

The thing is that one of my forwarders (linux server) is forwarding correctly to the indexer, and i can see all the information i need in the index main. BUT the second forwarder logs are nowhere to be found. Although I can see the 2nd universal forwarder when I type index=_internal in the search bar but this index doesn't show any logs.

Can someone help me please so I can see the logs of the second forwarders logs?

Have a great day everyone!

Abir

gcusello · ‎04-14-2022

Hi @aatik5u,

if you can see both the forwarders, this means that the connection is correctly established.

The problem could be at input level: how do you configured inputs on Forwarders?

did you used a TA (e.g. TA_Linux) or what else?

You can sse this in the $SPLUNK_HOME/etc/apps folder of Forwarders: there are some common apps installed by Splunk and some apps installed to take logs e.g. TA_Linux (https://splunkbase.splunk.com/app/833/).

Ciao.

Giuseppe

How to see the logs of the second forwarders logs? (Using two forwarders and one indexer)

host

inputs.conf

universal forwarder

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation