Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for client disconnects from Indexer?

splunktrainingu
Communicator
‎07-08-2024 09:38 AM

Is there a way to monitor disconnects on a host (with a deployed universal forwarder) that cannot reach the Indexer? We have an on prem solution. Simply trying to use this host to monitor if network A can reach network B because the host is in Network A and the index is in network B. 

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2024 11:35 AM

Normally, the UF is monitored from the indexers, but if the UF cannot connect to the indexer it cannot send its logs so there's no data to monitor.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2024 10:14 AM

If the host cannot reach the indexer then there will be nothing logged on the indexer to monitor.  The UF will log any failures to connect so that is the place to check, but you will have to do that on the host rather than in Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunktrainingu
Communicator
‎07-08-2024 10:17 AM

Would this be logged into the metrics log on the UF? I could monitor for no logs, I have done that in the past. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2024 10:44 AM

The UF will log communication failures in splunkd.log.

Yes, you can monitor the indexers for no logs from hosts.  There are apps, including TrackMe, that can help with that.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunktrainingu
Communicator
‎07-08-2024 11:24 AM

So there is no way to monitor the splunkd.log on the UF from the Splunk Indexer?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2024 11:35 AM

Normally, the UF is monitored from the indexers, but if the UF cannot connect to the indexer it cannot send its logs so there's no data to monitor.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...