No indexing of log after receiving in heavy forwar...

sohrab_keramat · ‎09-23-2023

Hello to all dear friends and fellow platformers

I have 36 indexers and 7 heavy forwarders in my cluster. Every once in a while, I notice that one of the equipments that I receive logs from is not entered into Splunk, and the log is actually reported from the source, but with further investigations, I realize that the log From the source means that the desired equipment is sent and received in one of the 7 HF, but the problem is that either the HF does not send to the indexers or the indexers do not index the log, so according to the Splunk system, the log is disconnected from the source of the equipment?

a. Do you have a solution so that in the scenario of indexer clustering and a large number of HFs, I can find out whether the log is correctly outputted from the HF to the indexer or not?

B. What is the cause and solution of this problem?

THank you.

gcusello · ‎09-23-2023

Hi @sohrab_keramat,

I know that in the logs there isn't the information on the system that a log is passed through, so how can you say that a log is sent to an HF and it isn't sent to the Indexers?

maybe you're sending log from the missed device only to one HF?

have you other logs (e.g. Splunk internal logs) from that HF?

did you tried to sen logs from that device to other HFs?

did you checked the configurations on the HF to input logs from that device?

Ciao.

Giuseppe

No indexing of log after receiving in heavy forwarder

heavy forwarder

indexer

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!