in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd please provide me the troubleshooting steps.
Hi @Mahi4rus,
did you checked if you have the grants to access the index [Settings -- Roles -- <your_role> -- Indexes] and if it's in the default search path.
You can also check the first item running a search on the same index viewing if you see the logs from other servers.
You can check the second running a simple search index=your_index
Ciao.
Giuseppe
Yes it it is connected to indexer and input.conf also configured i have checked the splunkd lao as we but i didn't see any error there
Your outputs.conf on UF is also on place and working?
You should found UF's internal logs on IDX by queries from SH like index=_internal host=<UF name*> source=*splunkd.log sourcetype=splunkd earliest=0
If you see something then UF has connection to your IDX if not then it haven't that connection. Then you should look UF's splunkd.log etc. locally on file system. There should be explanation why it cannot connect to IDX.
r. Ismo
Hi @Mahi4rus ,
te seaech head is connected with the indexers?
on the UF is already configured the inputs.conf?
Regards
Alessandro