Getting Data In

Issue in getting data from universal forwarder

chchanda
Loves-to-Learn

Hi There,

I have placed inputs.conf and outputs.conf on Splunk UF installed on application server to fetch the logs from a specific path but Splunk is not reading the same. I have tried to change the location of inputs.conf from Splunk_home/etc/apps/TA/local to /Splunk_home/etc/system/local but still no luck. 

Don't know what is the issue for fetching data to Splunk, however, I am able to see the internal logs in Search Head.

Can anyone please help here? 

Thanks in advance!!

Labels (1)
Tags (2)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @chchanda 

It could be a permissions issue good place to check is splunkd.log or _internal index for errors, You can check the current monitor status by issuing command under $SPLUNK_HOME/bin use the "./splunk list inputstatus" to get more detailed info on where Splunk is in reading the different files.

Can you share the inputs.conf to see how did you configured?

---

An upvote would be appreciated if it helps!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

As @venkatasri said, it's probably access right issues. 

  • Which platform those UF's are?
  • Are you using DS for deploy those configs (probably not as you try to put those under system/local)
    • My guidelines is that never ever put anything under system/local if it works somewhere else
  • Have you restart UF after adding those configurations or have you added those with CLI commands?
  • Which user is running splunk
  • Have you check UF's splunkd.log to see if there are any errors related to this
  • Are UF's internal log seen on splunk SH?

r. Ismo

0 Karma

chchanda
Loves-to-Learn

Hi @isoutamo 

  • Which platform those UF's are? -- Windows platform
  • Are you using DS for deploy those configs (probably not as you try to put those under system/local) -- No DS
    • My guidelines is that never ever put anything under system/local if it works somewhere else -- This is just for testing purpose, but reverted the change from etc/system/local to etc/apps/TA/local
  • Have you restart UF after adding those configurations or have you added those with CLI commands? ----Since it is Windows, have placed the TA manually by copy paste. Restarted Splunk services from Services
  • Which user is running splunk -- We have a user called splunk 
  • Have you check UF's splunkd.log to see if there are any errors related to this -- Till now no such errors, but can see INFO  ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd.
  • Are UF's internal log seen on splunk SH? -- Yes I can see the splunk internal logs on SH but not the logs on the specified index

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as it's windows platform you must use windows notation for those paths not unix version.

e.g. C:\temp\foo.bar

If you want collect data from network shares you must have user which have access to those shares, usually it means domain user.

And check that your splunk user has access to those directories/files which you try to ingest.

As you get those internal logs to splunk then we are knowing that connection is ok and the issue is definitely on UF side.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...