Permissions are there for the log file and no errors in the splunkd.log.
Everything seems to be working fine and everything is running as we can see that the data is forwarded at this moment. The only problem is that the specific data is not shown on the indexer, it was coming before but it stopped a few days ago.
What could be the problem?
Has this issue ever been resolved? I am facing a very similar issue.
Try running /opt/splunk/bin/splunk list monitor
and see if your files/directory show up in there. Try searching splunkd.log from the forwarder with keyword as your file name (e.g. index=_internal sourcetype=splunkd host=YourHost *yourfilename*
) and see if there are any warning of some sorts.
index=_internal sourcetype=splunk host=YourHost yourfilename
where shd i run this sir ?? in forwarder or indexer ??
sourcetype=splunk or sourcetype=the sourcetype which is not getting forwarded
I got it sir ,sorry for silly question! i wil run them and give u the results !
Hello Sir , no errors of any sort !
what to do now
Firstly, I had a typo in the search, just corrected it (sourcetype to be searched is splunk*d*).
Assuming your forwarder _internal logs from the forwarder to your indexers, this search should be run from your search head.