Getting Data In

in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd

Mahi4rus
Explorer

in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd please provide me the troubleshooting steps.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mahi4rus,

did you checked if you have the grants to access the index [Settings -- Roles -- <your_role> -- Indexes] and if it's in the default search path.

You can also check the first item running a search on the same index viewing if you see the logs from other servers.

You can check the second  running a simple search index=your_index

Ciao.

Giuseppe

Mahi4rus
Explorer

Yes it it is connected to indexer and input.conf  also configured i have checked the splunkd lao as we but i didn't see any error there

0 Karma

soutamo
SplunkTrust
SplunkTrust

Your outputs.conf on UF is also on place and working?

You should found UF's internal logs on IDX by queries from SH like index=_internal host=<UF name*> source=*splunkd.log sourcetype=splunkd earliest=0

If you see something then UF has connection to your IDX if not then it haven't that connection. Then you should look UF's splunkd.log etc. locally on file system. There should be explanation why it cannot connect to IDX.

r. Ismo

aasabatini
Contributor

Hi @Mahi4rus ,

te seaech head is connected  with the indexers?

 

on the UF is already configured the inputs.conf?

 

Regards

Alessandro