Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New input from light forwarder not appearing

jfields
New Member
‎10-08-2010 06:18 PM

I am new Splunk user. I configured the index server and set it up as a receiver. I then installed the light forwarder on another Windows box and configured it to forward to the index server. It appears to be connecting to the Splunk index, according to the splunkd logs on the index.

However, Splunk web does not seem to be indexing the forwarded server data. Under Apps--> Windows, only the original index server shows up under hosts. Shouldn't that show 2 now and have the forwarder listed under there as well? The manual doesn't really explain what to expect in these screens once forwarding is complete, but it doesn't show any content for the forwarded server. Here is the relevant info from the log files on splunk.

I see entries saying "Connecting in cooked mode from (server)." I also see entries saying "Connection accepted from (server)." The other entry I see that might be relevant is "Hostname=(server) closes connection.. ended without a done-key."

Thank you.

JF

0 Karma
Reply

jfields
New Member
‎10-21-2010 07:17 PM

I do see the light forwarders under "index=_internal". Still nothing under Windows or Search apps for the light forwarder hosts.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-21-2010 07:27 PM

again, you need to be sure that you are indeed monitoring data within the light weight forwarder. monitor stanzas are what you tell splunk to actually monitor, check your inputs.conf for example.
The idea is, you cannot forward if you have nothing to forward. Since when you do index=_internal you do see data, then the forwarding is working correctly. it is just that you are not monitoring anything. Check this link for more info: http://www.splunk.com/base/Documentation/4.1.5/admin/Inputsconf

0 Karma
Reply

jfields
New Member
‎10-15-2010 08:47 PM

Sorry for the delayed response. I forget to check the notify box, so I had no idea someone had answered me.

I actually don't know what monitoring stanzas are, so I will look into that. I do not see the forwarder under hosts in the Search app. Just the indexer. I see no logs at all from the forwarder.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-09-2010 01:39 AM

There could be a couple of things going on here:
first, the trivial - have you actually created any monitoring stanzas on the forwarder? i.e. are you actually monitoring anything at all?
then, when you go to the SEARCH app summary dashboard, under the list of hosts, do you see the forwarder there?
Lastly, if you do a search like: index=_internal do you just see logs from your indexer or your forwarder as well?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...