Getting Data In

help please : inputs problem

Path Finder

hi i have configurate my universal forwarder and splunk so i can find my machine in the host list of splunk .. but i think i have a problem in the inputs.conf because i can't find the sourcetype and the indexer that i have creat
alt text

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You should look at the forwarder logs and see if its sending data. You can see this by going to /top/splunkforwarder/var/log/splunk/splunkd.log and this will tell you if its sending its logs to the indexer(s). You can also do a quick search to see if any logs are present. Assuming this is a relatively new setup, you can set your time range to all-time

| metasearch index=me

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You should look at the forwarder logs and see if its sending data. You can see this by going to /top/splunkforwarder/var/log/splunk/splunkd.log and this will tell you if its sending its logs to the indexer(s). You can also do a quick search to see if any logs are present. Assuming this is a relatively new setup, you can set your time range to all-time

| metasearch index=me

View solution in original post

0 Karma

Path Finder

metasearch index=me didn't give me any result and i think the forwarder is not sending logs to the indexer

0 Karma

SplunkTrust
SplunkTrust

Most likely. You should check out the forwarder logs and see what the forwarder is complaining about. Also, can you do a telnet from the forwarder to the indexer?

From the forwarder machine, go to your cmd prompt and do a telnet <indexIP> 9997 and see if it connects. The forwarder logs will also tell you if its being blocked. Either way works

0 Karma

Path Finder

when do telnet 10.10.1.1 9997 an empty black window opens with the name telnet 10.10.1.1

0 Karma

SplunkTrust
SplunkTrust

This means your forwarder can successfully connect to the indexer on that port, so you do not have a firewall issue, most likely a configuration issue. Have you confirmed the file your monitoring has data? Did you restart the Splunk service after updating your inputs?

What is the forwarder log saying? If its a windows machine you can check under

C:/Program Files/Splunkforwarder/var/log/splunk/splunkd.log

0 Karma

Path Finder

alt text

This is how it looks like.
And what did you mean by confirm the file you're monitoring has data?

0 Karma

SplunkTrust
SplunkTrust

Your image doesn't work.. You can simply look through the file and identify if there are errors. If there are errors then you need to chase down what they are

Do you have a log file under C:\var\log\splunk*.log? Does that log file have data?

I don't see an index defined for your perfmon data, have you checked index=main to see if its there? Try this (Don't forget to include the leading "|")

| metasearch index=*

0 Karma

Path Finder

i didn't find an error file alt text

alt text

0 Karma

Path Finder

when i do splunk list inputstatus i find this https://postimg.cc/image/8chpezujl/ alt text
so i changed [monitor:/C:\var\log*.log] by [monitor:\\var\log*.log]
https://postimg.cc/image/ked39aoe9/![alt text]2

0 Karma

SplunkTrust
SplunkTrust

You're ignoring my questions...

Have you confirmed there are logs under C:\\var\log*.log OR \var\log*.log? You're also missing a C:\ in your new stanza. You MUST restart the splunk service after changing inputs. Have you also looked under index=main?

0 Karma

Path Finder

sorry , i have log files under var\log\splunk and they have data
in splunkdlog i didn't find an error
i looked under index= main and i find all events with host= the machine of my forwarder and source and sourcetype = WinEventLog:Security
and i didn't find my index or my sourcetype
and when i do | metasearch index= me i have no result

0 Karma

SplunkTrust
SplunkTrust

This means your forwarder is working as expected and you have a misconfiguration in your stanza for index=me.

Can you give me the full path includign the log file name?

I'm assuming its C:\var\log\splunk\<logname>.log?

0 Karma

Path Finder

C:\var\log\splunk\splunkd.log or
C:\var\log\splunk\health.log

with *.log i did mean any log file

0 Karma

SplunkTrust
SplunkTrust

Update your inputs.conf with the stanza below. If this works then you can replace splunkd.log with *.log. You must restart the splunk service to verify this is working. Once you restart, you should then put the timerange picker to all-time then run | metasearch index=me

[monitor://C:\var\log\splunk\splunkd.log]
index=me
sourcetype=log

If this doesn't work then it could be a permissions issue.

0 Karma

Path Finder

it didn't work 😞

0 Karma

SplunkTrust
SplunkTrust

Did you restart the Splunk service after applying the inputs? You should try moving a log file to C:\ then monitor it in there and verify it works. If it works then its a permissions issue in C:\var

0 Karma

Path Finder

I did restart the splunk server and the forwarder and it didn't work
i moved the log file to C:\ and monitor it and restart and it didn't work also

0 Karma

Path Finder

thank you so so much i uninstall splunk and universal forwarder and theni install them again and they worked 😄

0 Karma

SplunkTrust
SplunkTrust

Your selectively answering my questions.. Please go back and look over the questions I asked and verify

0 Karma

Ultra Champion

You're showing the inputs.conf on the UF, what does the rest of your setup look like? Have you also configured outputs.conf to send the data to your indexer? Have you set up this index on your indexer?

You'll need to describe your problem a bit better for anyone to be able help you solve it.

0 Karma