Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

We are receiving _internal logs from universal forwarders but we are not receiving data from indexes which are created externally???

saisrujan28
Explorer
‎01-29-2018 07:10 AM

Universal forwarder sending data _internal logs and we are receiving those logs and appeared on search heads.

But we deployed an add-on on the same universal forwarder. But we are not receiving data from the index which is present in the add-on. We created index on indexers.we are receiving data to this index from other UF's.
After deploying add-on we restarted UF

Example: index=_internal host=abc (we are getting splunkd logs)

index= test1 host=abc (we are not able see any logs)

can any one explain why this happens??

Tags (1)
0 Karma
Reply

micahkemp
Champion
‎02-07-2018 11:42 AM

Which addon did you deploy? Does this addon set the host value based on the event payload? Did you enable the inputs?

You may want to start by including your inputs.conf from the forwarder to enable additional help.

0 Karma
Reply

ansif
Motivator
‎02-07-2018 04:04 AM

Dont you see any clue from Indexer and UF _internal logs.Just search for this indexname as keyword.

0 Karma
Reply

somesoni2
Revered Legend
‎01-29-2018 07:49 AM

Obviously something is not configured properly for your non-internal data monitoring. I would suggest going through this post for troubleshooting steps.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata

0 Karma
Reply

saisrujan28
Explorer
‎01-29-2018 09:00 AM

we have checked diag file from universal forwarder everything configured properly

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...