Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder Unable to Connect to Target Folder

Randall2022
Observer
‎05-10-2022 01:40 AM

Hi,

I am currently facing an issue where my Splunk Universal Forwarder is able to establish connection with the Splunk Server but it is unable to port over the data from the target folder of interest. Is there a way to trouble shoot this?

A diagnostic test of index="_internal" would show that Splunk is streaming in system logs from my PC, thus proving that a link has already been established with the Splunk Server. However, trying to query using index="ForwarderText_index" (my target index for the targeted files), would yield nothing.

Splunk Universal Forwarder Installation Configuration Details:

Server: MyServerName

Port/Management Port: 8089 (default)

Target Folder: C:\Users\MyUserName\Documents\MyProject\logs\Splunk_Monitoring_Folder

_______________________________________

inputs.conf

location: C:\Program Files\SplunkUniversalForwarder\etc\system\local

File contents:

[monitor://C:\Users\cftfda01\Documents\MyProject\logs\Splunk_Monitoring_Folder\SubFolder01]
disabled = false
index = ForwarderText_index
host = MyComputerID
 

_______________________________________

outputs.conf

location: C:\Program Files\SplunkUniversalForwarder\etc\system\local

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server =MyServerName:9997

[tcpout-server://MyServerName:9997]

 

 

 

Labels (2)
0 Karma
Reply

SinghK
Builder
‎05-10-2022 02:03 AM

did you try searching it with  time set to all time instead of a specific time filter.

0 Karma
Reply

SinghK
Builder
‎05-10-2022 02:12 AM

did you check splunkd.logs  for the forwarder ?

any errors?

and @gcusello informed about modifying the input you created, have you done it ?

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 07:06 PM

How do I go about checking the  splunkd.logs  for the forwarder?

I've tried @gcusello's proposal to change the inputs.conf file, but that didn't work too.

0 Karma
Reply

SinghK
Builder
‎05-12-2022 03:28 AM

Logs are in /opt/splunkforwarder/var/log/splunk directory 

or if you are getting internal logs then 

index=_internal host=<your host> sourcetype= splunkd should give you the logs

check if you see any errors

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 02:04 AM

Tried that to no avail

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-10-2022 01:47 AM

Hi @Randall2022,

the first check is:

index=_internal host=your_host

if you have results the connection is ok, otherwise you have to investigate the connection, e.g. using telnet

telnet ip_server_splunk 9997

If you have data in _internal, the problem in in the data input.

could you try to modify the inputs.conf and restart the Forwarder?

[monitor://C:\Users\cftfda01\Documents\MyProject\logs\Splunk_Monitoring_Folder\SubFolder01\*.*]
disabled = false
index = ForwarderText_index
host = MyComputerID

Ciao.

Giuseppe

 

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 07:04 PM

There's data coming in to index="_internal", but nothing in for the target index. I've also created the target index separately in the Splunk Enterprise settings already. Adding a wildcard variable to the inputs.conf file like what you suggested also did not work.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...