Getting Data In

Why am I unable to forward data from Universal forwarder?

Rebeccakettler
Path Finder

I am trying to index new data and it is not happening.

I am indexing a single log file that is being written to by the server when ever new events are added.

I put this statement into the MSIADDED inputs on the universal forwarder because that is where my current input live.

This is what I added.

[Monitor://D:\Software\Waratek\HR-Config\HR.log]
disabled = 0
sourcetype = waratek
index = main

This is sample of the file.

2018-05-02 11:02:09,851  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Load Rule|Low|outcome=success
2018-05-02 11:02:13,252  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 02|Link Rule|Low|outcome=success
2018-05-02 11:02:13,263  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Load Rule|Low|outcome=success
2018-05-02 11:02:14,135  CEF:0|ARMR:CWE-114: Process Control|CWE-114: Process Control|1.0|Process Forking - 03|Link Rule|Low|outcome=success

I can see the sourcetype show up in data summary; however, when I search for the data there is nothing there. Any suggestions here?

0 Karma
1 Solution

Rebeccakettler
Path Finder

I had a typo in the input.conf. The M of MOnitor was capped once that was resolved the data flowed.

View solution in original post

0 Karma

Rebeccakettler
Path Finder

I had a typo in the input.conf. The M of MOnitor was capped once that was resolved the data flowed.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@Rebeccakettler If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
SplunkTrust
SplunkTrust

In data summary, does the sourcetype shows any count? The events seems to be from May 2nd, does your time range large enough to include this? Does your user role has access to read data from index main?

0 Karma

Rebeccakettler
Path Finder

It will show 64 lines. I did not count them specifically but it looks right.
I have been putting my searches to All Time searches.
I am an admin but I also just verified my role. I have default admin and rights to all non internal and internal indexes.
I have done multiple attempts at the input.conf file (tried it on a different server too). They all show similar issues. I just deleted my fishbucket on the forwarder again and restarted the service. But this has not made a difference in the past. I don't have anything to normalize the data yet but I can't see it soooooo

0 Karma

xpac
SplunkTrust
SplunkTrust

You could try this:

| tstats prestats=t count where sourcetype=waratek AND index=* by _time index
| timechart count by index

Set the search range to include events from 10 years ago until 10 years in the future, just in case some strange timestamp recognition happens.

0 Karma

Rebeccakettler
Path Finder

I can see the event count similiar to data summary. When I try to drill down there is nothing there.

0 Karma

xpac
SplunkTrust
SplunkTrust

The timechart visualization should also show you the time range in which those events are, that might give you a hint what went wrong (e.g. wrong timestamp recognition = events in the future).

0 Karma

Rebeccakettler
Path Finder

A time chart would not visualize. All I can get is a count. Anything else just drops it. Though I did open a support ticket.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...