Getting Data In

Splunk Universal Forwarder is not able to send monitored file's logs to Splunk Indexers though sending internal logs properly

MousumiChowdhur
Contributor

Hi All,

I have six forwarders and two indexers to which these are supposed to send data. The six forwarders have multiple instances of forwarders i.e., each having three instances. There are three active files of 500mb each which are supposed to be monitored. These three 500mb files are distributed among three instances of forwarders in each forwarder. After setting up the forwarders and doing all the configurations, I started the input for all the six forwarders. Out of six forwarders, 4 are sending data properly but 2 are monitoring the files and not sending any data. Internal logs are coming from all six forwarders. There is no internal error that I'm getting. Also at the time of data input, I was able to get the "TailingProcessor" in the internal logs for the sources. But after that the logs never came. I'm not able to find what the issue could be.

Can anybody please help me to solve this issue?

0 Karma

MousumiChowdhur
Contributor

Hi!! Thanks for the quick response.

I tried running the search for index=* and timepicker value set to All time. But I still can't see any data from those two particular sources. Also I checked, the destination index exists on the two indexers as the data from the other four forwarders are showing up in that particular index. There is no internal error also!

0 Karma

woodcock
Esteemed Legend

Try running a search for index=* with a timepicker value of All time. Sometimes the events do not go into the right place and sometimes they are not timestamped correctly and so they are sent "to the future" and will only show up in searches way late, as reality creeps towards them. If you do not see the events, they make sure that the destination index for the events exists on your indexers (there are error logs on the indexers when events come for indexes that are not configured so you can search for those with index=_* warn* OR err*).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...