Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to troubleshoot the Universal Forwarder wh...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a existing infrastructure of Splunk where events are passed from multiple Linux boxes to Splunk indexers.
We recently have installed Splunk forwarder in a Windows box. When we search in Splunk using that host name, we don't see the events.
We have checked the logs with the following observation
- It is picking up new monitor config.
- No error is reported in Splunkd.log
Can you please share the troubleshooting steps for the forwarder? Can forwarder log files help us pin point - if forwarder at all sending the events to Indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting Observation - The forwarder is able to send data to indexer in each line does not starts with a date time.
e.g
12/13/2016 12:45:77.907 -0500 Some content
The above line fails
12/13/2016 Some content
Above line works
Seems like forwarder is trying to parse date time.
Is there a way to forcefully tell forwarder not to parse datetime?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting Observation - The forwarder is able to send data to indexer in each line does not starts with a date time.
e.g
12/13/2016 12:45:77.907 -0500 Some content
The above line fails
12/13/2016 Some content
Above line works
Seems like forwarder is trying to parse date time.
Is there a way to forcefully tell forwarder not to parse datetime?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ sarthakb refer to below thread...you can refer to my answer there to get some tips and also others answers as well
https://answers.splunk.com/answers/5590/could-not-send-data-to-the-output-queue.html#answer-466859
As @chrishartsoc mentioned...your starting point is checking splunkd and metrics log on the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good place to start at I can't find my data!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the data is being forwarded correctly to your indexer(s) but you cannot find the host when searching?
Can you check the outputs.conf on the forwarder to verify you have the correct hostname there?
C:\SPLUNK_HOME\etc\system\local\outputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Thanks for the quick reply.
I dont know if the data is being forwarded correctly. I am looking for guidance to confirm that.
regards,
Sarthak
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Along the lines of skoelpin's comment, it sounds like there may be an issue sending from the UF to the indexer. Can you see in the splunkd.log on the UF that the UF is successfully connecting to the indexer?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
