Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal uploader not sending data events

vikramsekaran
New Member
‎05-05-2012 07:33 AM

Hi,
I have a universal forwarder setup on a Linux x64 machine, with monitor setup from CLI to load a whole folder full of log files. I dono receive data events at the receiver from the log files, some of the files are reported as binary files, but even the others are not showing up. It is a trial license and I have 0 license violations, I could see the forwarder as active in the deployment monitor. I have tried cleaning the indexes and bouncing the Splunk instances on both machines, no help. We need to decide soon if we cant to stick with splunk, only if we can get this one working in the first place..

/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = alert.example.com_9997

[tcpout:alert.example.com_9997]
server = alert.example.com:9997

[tcpout-server://alert.example.com:9997]

/opt/splunkforwarder/etc/apps/search/local/inputs.conf

[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit

At receiver:

/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
index = oamaudit

I have a index created as oamaudit. Am I missing anything ?

Tags (1)
0 Karma
Reply

Ayn
Legend
‎05-05-2012 08:30 AM

The index configuration parameter doesn't exist for the splunktcp input - the value for index is set when the Universal Forwarder picks up data, so that's where you should make changes if you want a monitor input to go to another index than the default.

0 Karma
Reply

vikramsekaran
New Member
‎05-05-2012 12:29 PM

Thanks everyone, I think I have fixed the issue. Splunk didnot read the events because, the timestamp on the audit data was messed up and after a long try , it displayed the whole file as one event. I changed the timestamp format in the core application and it all works now. I am receiving every line as a event now. Thanks for all the support.

0 Karma
Reply

vikramsekaran
New Member
‎05-05-2012 10:57 AM

Thanks for the replies, the data is not received at all, I removed the index value from the indexer and the forwarder, to let it go to the default index, still nothing, I am able to connect to the indexer from the forwarder without problem. Even the log in the forwarder says connected to my indexer IP address. I am running out of options to look at.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎05-05-2012 08:53 AM

Currently your data should go to the main default index.

to change this modify the inputs on the forwarder

[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
index = oamaudit

If no data is received at all, check the network, firewall (a simple telnet alert.example.com 9997 from the forwarder should tell you)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...