Can you check the connectivity between forwarder and indexer? Also check indexing queue in monitoring console.
Forwarder was installed on the same server where splunk enterprise was installed for testing purposes.
oh. Can you check _internal logs for error and check indexing queue in monitoring console?
I am receiveing below mentioned error with high frequency.
ERROR TcpInputProc - Message rejected. Received unexpected message of size=174291836 bytes from src=x.x.x.x:12345 in streaming mode. Maximum message size allowed=63412458. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Can you share configuration details of outputs.conf and deploymentclients.conf?
I haven't configured outputs.conf as during installation I enter the deployment server and receiver indexer details.The same purpose will be done in ouput.conf if you didn't enter during installation.Other than input.conf I didn't changed any configuration.
Am I right or missing something.
Are the internal logs of the forwarder also delayed?
NO.Internal logs of forwarder are not delayed.
Any reason you're ingesting windows logs like this, by pointing at the evtx files? I think Splunk documentation even explicitely mentions that you shouldn't read the live evtx file that is still being written to.
To ingest windows logs from the local machine, use the
[WinEventLog://Security] input stanza. For details: http://docs.splunk.com/Documentation/Splunk/7.0.3/Data/MonitorWindowseventlogdata