Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why isn't my data reaching the index?

ddrillic
Ultra Champion
‎08-10-2017 07:48 AM

We have a small farm with no access to the forwarders. The forwarders do phone home but the following returns nothing when running it against all time -

index=_internal host=<fwdhost1>* OR host=<fwdhost2>* OR host=<fwdhost3>* OR host=<fwdhost4>* OR host=<fwdhost5>*

Nothing reaches the index.

How can we debug it further?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎08-10-2017 07:56 AM

Is it a distributed or standalone deployment? If distributed, I would check if it is connecting to the indexers. You can get a phone home without connecting to the indexers since the phone home goes through the deployment server. You can use the search to look for the hosts to see if they are connecting:

index=_internal source=*metrics.log tcpin_connections

If not, it could be for a variety of reasons. Firewall preventing it, no forward-server listed on the forwarder, or monitor not working on the forwarders.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎08-10-2017 07:56 AM

Is it a distributed or standalone deployment? If distributed, I would check if it is connecting to the indexers. You can get a phone home without connecting to the indexers since the phone home goes through the deployment server. You can use the search to look for the hosts to see if they are connecting:

index=_internal source=*metrics.log tcpin_connections

If not, it could be for a variety of reasons. Firewall preventing it, no forward-server listed on the forwarder, or monitor not working on the forwarders.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-10-2017 08:47 AM

It's a distributed deployment and this query returns events for the two indexers. I don't see the forwarders listed. Should they?

You said -

-- If not, it could be for a variety of reasons.

Meaning, the forwarders apparently can't reach the indexers, right?

I ran this query on our core farm - index=_internal source=*metrics.log tcpin_connections and it doesn't show the forwarders...

I ran - index=_internal sourcetype=splunkd component=TcpOutputProc (host=<fwdhost1>* OR host=<fwdhost2>**)

Nothing came back. So, I guess no connectivity exists between the forwarders and the indexers...

0 Karma
Reply
Solved! Jump to solution

mdsnmss
SplunkTrust
SplunkTrust
‎08-10-2017 09:17 AM

Your forwarders would be listed as the sourceHost field. Likely as an IP rather than a hostname. If you don't see the forwarders listed it would likely mean they are not reaching the indexers.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-10-2017 09:20 AM

Perfect - much appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...