I am new to Splunk and downloaded Splunk free to several machines, Linux and Windows. All machines are on the same subnet. I have been successful at forwarding logs from Windows to Linux, and from Windows to Windows, but I cannot seem to see the Linux logs on the Windows Splunk. I see the TCP handshake and the log text, but Splunk never shows the machine name or the logs in the data summary.
Using Splunk 6.3.0 on CentOS 6.6. The logging capability seems to work fine on the Linux machine when viewed locally. The Windows machines are both using Splunk 6.3.0 as well.
run this search
| tstats count WHERE index=* sourcetype=* by index, sourcetype, host to see if the host is listed, if so run a search over all time for the index listed in above search result:
index=<from above> earliest=0
index=_internal for errors related to this host/input maybe date errors and the timestamp is not recognised? Hint http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configuretimestamprecognition
Hope this helps ...
thank you. I ran the search and the source(forwarding) host (linux box) did not appear. I still see my windows desktop (receiver) handshaking with the source on wireshark. Any other things I can try?
I just added the index the linux server was creating (os) to the windows splunk and it is now showing up. Thanks!