Getting Data In

Not receiving data from some forwarders

RVDowning
Contributor

Newbie here with an issue.

Running Splunk 4.2.2 indexer on Linux and universal forwarders 4.2.2 on Windows 7 machines. I have 15 forwarders, but only receive data from the first 6 that were installed. I don't even see the forwarders listed under Hosts or the see their Source types on the summary screen. I see errors such as the following in the forwarder's splunkd.log

07-19-2011 15:25:05.121 -0400 INFO TcpOutputProc - Connected to idx=xx.xx.xxx.xxx:9997
07-19-2011 15:25:09.561 -0400 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "C:\Program Files\SplunkUniversalForwarder\bin"" splunk-regmon - No enabled entries were found in the conf files.

In the indexer's splunkd log I see messages such as:

Waiting for connection from src = aa.bb.ccc.dddd:portno to close before shutting down TCPInputProcessor.

So, it seems that the indexer knows of the forwarder's existance. Not sure what to look at next to try to resolve the issue.

msettipane
Splunk Employee
Splunk Employee

Also check to make sure you have permissions to read the files you are monitoring.

0 Karma

cpenkert
Path Finder

If you run a "splunk list monitor -auth admin:changeme" command from the splunk\bin directory, does it list files that are being monitored to sent to the indexer?
If it lists nothing, you may have to modify your inputs.conf file to make sure you are monitoring the files that you hope to.

mikefoti
Communicator

Answered my own question... on a default install, can still use "admin" and "changeme"

0 Karma

mikefoti
Communicator

I'd like to run this command:
"splunk list monitor -auth admin:changeme"
on my windows universal forwarder. Since the service runs under the Local System acct, what credentails can\should I use in place of changeMe?

0 Karma

RVDowning
Contributor

It did turn out to be a permissions issue on the inputs.conf file on at least on one of the servers. Looking at the next server and still have the same problem. Not resolved yet.

0 Karma

RVDowning
Contributor

Running that command does indeed show that the two desired files are not being monitored. But, I can't find anything different between the inputs.conf file in the MSICreated directory on this forwarder and the forwarders where it is correctly working. I'm trying to find some kind of diff style utility to run against both directories.

Could permissions have anything to do with it?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...