Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder Unable to Connect to Target Folder

Randall2022
Observer
‎05-10-2022 01:40 AM

Hi,

I am currently facing an issue where my Splunk Universal Forwarder is able to establish connection with the Splunk Server but it is unable to port over the data from the target folder of interest. Is there a way to trouble shoot this?

A diagnostic test of index="_internal" would show that Splunk is streaming in system logs from my PC, thus proving that a link has already been established with the Splunk Server. However, trying to query using index="ForwarderText_index" (my target index for the targeted files), would yield nothing.

Splunk Universal Forwarder Installation Configuration Details:

Server: MyServerName

Port/Management Port: 8089 (default)

Target Folder: C:\Users\MyUserName\Documents\MyProject\logs\Splunk_Monitoring_Folder

_______________________________________

inputs.conf

location: C:\Program Files\SplunkUniversalForwarder\etc\system\local

File contents:

[monitor://C:\Users\cftfda01\Documents\MyProject\logs\Splunk_Monitoring_Folder\SubFolder01]
disabled = false
index = ForwarderText_index
host = MyComputerID
 

_______________________________________

outputs.conf

location: C:\Program Files\SplunkUniversalForwarder\etc\system\local

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server =MyServerName:9997

[tcpout-server://MyServerName:9997]

 

 

 

Labels (2)
0 Karma
Reply

SinghK
Builder
‎05-10-2022 02:03 AM

did you try searching it with  time set to all time instead of a specific time filter.

0 Karma
Reply

SinghK
Builder
‎05-10-2022 02:12 AM

did you check splunkd.logs  for the forwarder ?

any errors?

and @gcusello informed about modifying the input you created, have you done it ?

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 07:06 PM

How do I go about checking the  splunkd.logs  for the forwarder?

I've tried @gcusello's proposal to change the inputs.conf file, but that didn't work too.

0 Karma
Reply

SinghK
Builder
‎05-12-2022 03:28 AM

Logs are in /opt/splunkforwarder/var/log/splunk directory 

or if you are getting internal logs then 

index=_internal host=<your host> sourcetype= splunkd should give you the logs

check if you see any errors

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 02:04 AM

Tried that to no avail

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-10-2022 01:47 AM

Hi @Randall2022,

the first check is:

index=_internal host=your_host

if you have results the connection is ok, otherwise you have to investigate the connection, e.g. using telnet

telnet ip_server_splunk 9997

If you have data in _internal, the problem in in the data input.

could you try to modify the inputs.conf and restart the Forwarder?

[monitor://C:\Users\cftfda01\Documents\MyProject\logs\Splunk_Monitoring_Folder\SubFolder01\*.*]
disabled = false
index = ForwarderText_index
host = MyComputerID

Ciao.

Giuseppe

 

0 Karma
Reply

Randall2022
Observer
‎05-10-2022 07:04 PM

There's data coming in to index="_internal", but nothing in for the target index. I've also created the target index separately in the Splunk Enterprise settings already. Adding a wildcard variable to the inputs.conf file like what you suggested also did not work.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...