Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarders are phoning home but the indexes are not populating

packet_hunter
Contributor
‎10-17-2017 02:26 PM

So while I was out, some Windows config changes were pushed to some Windows servers that had fully deployed UFs with deployed-apps. Prior to these windows changes, the servers were sending wineventlogs via UFs to the indexers without issue. Now the UFs are phoning home but I am not able to see any data since the time the windows changes took place. In fact, since the changes the indexes do not show when I run the following search AFTER the time of the changes, 

|tstats values(sourcetype) WHERE index=* by index

The indexes do show up when I run the search BEFORE the time changes were made, which makes sense.
It appears all windows related indexes are down, any advice on where to start troubleshooting?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎10-17-2017 07:33 PM

Do you get the internal logs from those UFs? That's your starting point
Is the outputs intact on the UFs ?
If you get the internal logs.. check for any errors on splunkd logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎10-17-2017 07:33 PM

Do you get the internal logs from those UFs? That's your starting point
Is the outputs intact on the UFs ?
If you get the internal logs.. check for any errors on splunkd logs.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 05:57 AM

Thank you for the reply.
The original architect of the splunk UFs confirmed that the two original deployment apps for the UFs were disabled and not deployed to the UFs. Therefore the UFs did not have inputs and outputs.
Your suggestion was correct.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 05:58 AM

Please convert your comment to an answer thank you.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 06:12 AM

also do you have a link reference for getting the UF internal logs ? I did not have to go down that path this time but it would be good to know. Thank you

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-18-2017 08:47 AM

I converted the answer so you can now accept it! 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎10-18-2017 09:58 AM

Internal logs are by default forwarded to the indexers provided you have the outputs set up. you can search like below

index=_internal host=myhostname

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...