Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk universal forwarder not reporting data from SQL server

Koushik_Katta
Explorer
‎10-17-2017 07:36 AM

Hi everyone ,

We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers .

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Koushik_Katta
Explorer
‎10-17-2017 07:59 AM

hi Cusello ,

did you installed forwarders from scratch or did you cloned it from another installation?
yes i did it from scratch , installed manually
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct
host name is correct in both .conf's
have you Splunk internal log files from these forwarders?
yes
if not the problem is connection betwen forwarders and indexers.
this i'm not sure , i think there wouldn't be connection issues , its working for other agents

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...