Getting Data In

Splunk universal forwarder not reporting data from SQL server

Koushik_Katta
Explorer

Hi everyone ,

We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers .

Thanks in advance

0 Karma
1 Solution

gcusello
Legend

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

0 Karma

Koushik_Katta
Explorer

hi Cusello ,

did you installed forwarders from scratch or did you cloned it from another installation?
yes i did it from scratch , installed manually
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct
host name is correct in both .conf's
have you Splunk internal log files from these forwarders?
yes
if not the problem is connection betwen forwarders and indexers.
this i'm not sure , i think there wouldn't be connection issues , its working for other agents

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...