Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is syslog data not getting indexed with my cur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is syslog data not getting indexed with my current inputs.conf on the forwarder?
We are trying to Index data from syslog and have the following configuration in the inputs.conf on the forwarder.
[tcp://IP:10514]
index = NWK
disabled = 0
#followTail = 0
sourcetype = NW:PROD:SYSLOG
From the search head, when we use index=NWK, it does not show any data.
What can be checked to see where the connection is breaking?
Thanks,
Anil.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the forwarder, take a look at
SPLUNK_HOME/var/log/splunk/splunkd.log
This will show you if there are any error messages regarding the inputs.conf, outputs.conf etc.
Connection failures usually appear here.
Also, is there an index named NWK on the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok,I see this error in the log files
and thats the source ip address.
Which is up and running and have the source files.
Able to resolve the IP.
Also tried using the fQDN in the inputs.conf instead of the ip no luck.
08-14-2015 11:32:59.636 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7
08-14-2015 11:32:59.636 -0700 WARN TcpInputProc - Could not find matching host.
08-14-2015 11:33:11.126 -0700 INFO TcpInputConfig - No matching config for 172.26.95.7
08-14-2015 11:33:11.126 -0700 WARN TcpInputProc - Could not find matching host.
How do I identify if Splunk is not able to get connect and fetch the data or is it something else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the source sending data to port 10514?
I had some issues before on network devices because some devices didn't allow me the change the port for syslog from514 and if I was are running splunk with other user than root I couldnt create inputs for port 514
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes there is a index named NWK on the indexer
And also it shows up in inex=NWK which is coming from some remote_searches.log file.
I will check from the log file in the mean time.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the syslog data being generated from the same host thats running the forwarder?
If it is I would suggest setting it up like this and testing.
[tcp://:10514]
connection_host = none
index=NWK
sourcetype = NW:PROD:SYSLOG
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its coming from a different server not from the heavy forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is that the only data source in the forwarder?
If not, are the other working ok?
If it is what's your outputs.conf like?
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No there are multiple data sources which are working using this forwarder.
outputs.conf contains server = Servernanme:9997 and some other config (is there anything which I should be looking here)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the others sources are ok I would look at the origin of the data. Or any connection between the forwarder and the IP:10514
Hope I was able to help you. If so, some karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes makes sense, though what do we look at on the origin of Data.
Can you shed some light on it.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
