Getting Data In

Why am I unable to forward logs from a Linux machine to Windows using Splunk 6.3?

CREVITCH
Path Finder

I am new to Splunk and downloaded Splunk free to several machines, Linux and Windows. All machines are on the same subnet. I have been successful at forwarding logs from Windows to Linux, and from Windows to Windows, but I cannot seem to see the Linux logs on the Windows Splunk. I see the TCP handshake and the log text, but Splunk never shows the machine name or the logs in the data summary.

Using Splunk 6.3.0 on CentOS 6.6. The logging capability seems to work fine on the Linux machine when viewed locally. The Windows machines are both using Splunk 6.3.0 as well.

Many Thanks

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi CREVITCH,

run this search | tstats count WHERE index=* sourcetype=* by index, sourcetype, host to see if the host is listed, if so run a search over all time for the index listed in above search result:

index=<from above> earliest=0

check splunkd.logor index=_internal for errors related to this host/input maybe date errors and the timestamp is not recognised? Hint http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi CREVITCH,

run this search | tstats count WHERE index=* sourcetype=* by index, sourcetype, host to see if the host is listed, if so run a search over all time for the index listed in above search result:

index=<from above> earliest=0

check splunkd.logor index=_internal for errors related to this host/input maybe date errors and the timestamp is not recognised? Hint http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition

Hope this helps ...

cheers, MuS

0 Karma

CREVITCH
Path Finder

thank you. I ran the search and the source(forwarding) host (linux box) did not appear. I still see my windows desktop (receiver) handshaking with the source on wireshark. Any other things I can try?

0 Karma

CREVITCH
Path Finder

I just added the index the linux server was creating (os) to the windows splunk and it is now showing up. Thanks!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...