Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Universal Forwarders are phoning home but the indexes are not populating

packet_hunter
Contributor
‎10-17-2017 02:26 PM

So while I was out, some Windows config changes were pushed to some Windows servers that had fully deployed UFs with deployed-apps. Prior to these windows changes, the servers were sending wineventlogs via UFs to the indexers without issue. Now the UFs are phoning home but I am not able to see any data since the time the windows changes took place. In fact, since the changes the indexes do not show when I run the following search AFTER the time of the changes, 

|tstats values(sourcetype) WHERE index=* by index

The indexes do show up when I run the search BEFORE the time changes were made, which makes sense.
It appears all windows related indexes are down, any advice on where to start troubleshooting?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎10-17-2017 07:33 PM

Do you get the internal logs from those UFs? That's your starting point
Is the outputs intact on the UFs ?
If you get the internal logs.. check for any errors on splunkd logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎10-17-2017 07:33 PM

Do you get the internal logs from those UFs? That's your starting point
Is the outputs intact on the UFs ?
If you get the internal logs.. check for any errors on splunkd logs.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 05:57 AM

Thank you for the reply.
The original architect of the splunk UFs confirmed that the two original deployment apps for the UFs were disabled and not deployed to the UFs. Therefore the UFs did not have inputs and outputs.
Your suggestion was correct.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 05:58 AM

Please convert your comment to an answer thank you.

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎10-18-2017 06:12 AM

also do you have a link reference for getting the UF internal logs ? I did not have to go down that path this time but it would be good to know. Thank you

Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-18-2017 08:47 AM

I converted the answer so you can now accept it! 🙂

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎10-18-2017 09:58 AM

Internal logs are by default forwarded to the indexers provided you have the outputs set up. you can search like below

index=_internal host=myhostname

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...