Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Weird issue - forwarder app works on one server, but not another

msarro
Builder
‎10-17-2013 11:53 AM

Hey everyone. I have written a simple forwarding app which monitors 2 directories. I have this app deployed on 2 servers currently, and everything works fine. All of the servers are built exactly the same, running the same vendor's software.

I tried installing it on a third server. The directories seem to be ignored. I checked with btool, everything is in inputs as it should be. It just isn't sending data. I have verified that there is data for it to send in the correct locations too. It just seems like splunk isn't forwarding that data. Is there any way to check possible reasons that it may not be forwarding? Or are there any things to look for?

Here is the content of inputs.conf:

[monitor:///var/broadworks/billing/*/*.csv]
index=XS
sourcetype=XS_CDR

[monitor:///var/broadworks/logs/appserver/XSLog*.txt]
index=XSSIP
sourcetype = XSSIPLOG

Like I said, i am at a loss right now. These servers were all built using the same imaging system, so it shouldn't be a problem with permissions.

Tags (1)
0 Karma
Reply

aholzer
Motivator
‎10-17-2013 01:32 PM

Check to make sure you've configured your outputs.conf on the forwarder.

Also look at your splunkd.log for error messages, on both the forwarder and the indexer. It may be that you are actually sending data to the indexer, but your indexer isn't configured to deal with it yet. In which case you may want to confirm that the props.conf is properly configured.

Hope this helps.

0 Karma
Reply

Ayn
Legend
‎10-17-2013 12:15 PM

Permissions issues? Generally it's always a good idea to use amrit's excellent script for checking the status of monitor inputs: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...