Getting Data In

Universal Forwarder not sending data to indexer after successful connection

RecoMark0
Path Finder

Hello,
I have a setup that consists of a Search Head and 2 indexers in a cluster. I also use a self signed SSL certificate between the indexers and my universal forwarders.

For some reason, my UF is able to connect to the indexers, but no data is sent.
07-09-2016 00:21:15.670 +0000 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997

  1. My test logs directly on the indexers were sent to the search head without issue.
  2. running splunk list monitor on the UF lists all the logs I want to monitor
  3. No errors in splunkd.log on the UF that I can see, just the usual warnings I get in my duplicate setup in another enviornment that IS working.
  4. No errors in metrics.log on the UF either.
  5. On the Indexer is this warning:

    WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Jul 8 20:30:38 2016). Context: source::\\s$\Logs\service.log|host::|Service Logs|174315

What else can I test to pinpoint my issue?

0 Karma
1 Solution

ddrillic
Ultra Champion

The "official" documentation to debug such a case at I can't find my data!

View solution in original post

ddrillic
Ultra Champion

The "official" documentation to debug such a case at I can't find my data!

RecoMark0
Path Finder

Sigh, I forgot to add the index my inputs.conf was going to, to the admin role "indexes searched by default". Sorry for wasting everyone's time! Rookie mistake.

0 Karma

ddrillic
Ultra Champion

It's all good - we all make all sorts of mistakes...

woodcock
Esteemed Legend

You have a linebreaking/merging problem or a timestamping problem (the former often causes the latter). We need to see a few sample log events and your inputs.conf and props.conf files.

renjith_nair
Legend

It's possible that the timestamp recognition is not working as expected and the events are indexed with an old timestamp.
Have you tried setting the time range to 'all time' and see if there are any events from this forwarder?

Try | metadata type=hosts index=* to see if the host is connected

Also have a look at http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

---
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...