Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk universal forwarder not reporting data from SQL server

Koushik_Katta
Explorer
‎10-17-2017 07:36 AM

Hi everyone ,

We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers .

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Koushik_Katta
Explorer
‎10-17-2017 07:59 AM

hi Cusello ,

did you installed forwarders from scratch or did you cloned it from another installation?
yes i did it from scratch , installed manually
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct
host name is correct in both .conf's
have you Splunk internal log files from these forwarders?
yes
if not the problem is connection betwen forwarders and indexers.
this i'm not sure , i think there wouldn't be connection issues , its working for other agents

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top