Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logs not received into splunk

VijaySrrie
Builder
‎06-03-2020 12:37 AM

Hi Team,

HF has been installed in a server, connectivity has been created to splunk, but we are not able to see any logs in splunk.
We have two different hosts.
For one of the hosts we are able to see the logs, but not able to see the logs for another host.

Note:
1) Host2 is using the same index name and log files are placed in same path as of host 1

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-03-2020 01:00 AM

Hi @vijaysri,
your architecture isn't so clear for me:

  • you have two servers that send logs to an Heavy Forwarder,
  • Heavy Forwarder sends logs to a Splunk Enterprise,
  • is it correct?

If this is your architecture, where you're not able to see logs on Splunk Enterprise or on Heavy Forwarder?

On HF you can see logs only if you hace a local copy of the logs (with duplicated license consuption), otherwise you can see logs only on Splunk Enterprise.

At first, did you enabled receiving on HF and Splunk?
if not, do this in [Settings -- Forwardrding and Receiving -- Receiving] in both the servers.

if yes, If you don't see logs on Splunk Enterprise, you should check the connection between hosts and HF and between HF and Splunk Enterprise.
To check this at first you should run this search on Splunk Enterprise:

index=_internal | stats count BY host

and see if the hostnames of host1, host2 and HF are prosent or not:

  • if you haven't none of them there's a problem between HF and Splunk,
  • if you have HF's logs but not hos1 and host2 logs there's a problem between hosts and HF.

in both the cases, check connections using telnet on port 9997 from the source system to the target (e.g. HF to Splunk or host1 to HF).

Ciao.
Giuseppe

Reply

VijaySrrie
Builder
‎06-03-2020 01:30 AM

@gcusello

index=_internal "host1" --> able to see the logs
index=_internal "host2" --> able to see the logs

for host1 ---> I am able to see the logs into the particular index assigned.
Issue is only with host2

I am not able to see the logs for host 2 into the particular index. May I know what troubleshooting can be done?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-03-2020 01:50 AM

Hi @vijaysri,
if you see internal logs from host2 but not other logs, check the differences with host1 in inputs.conf.

Then try the monitor paths if there are results, e.g. if you have in inputs.conf

[monitor:///app/log/*log]

you could try in Linux

ls -la /app/log/*log

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...