Re: in the search head I am not able to see the lo...

Mahi4rus · ‎03-31-2021

in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd please provide me the troubleshooting steps.

gcusello · ‎03-31-2021

Hi @Mahi4rus,

did you checked if you have the grants to access the index [Settings -- Roles -- <your_role> -- Indexes] and if it's in the default search path.

You can also check the first item running a search on the same index viewing if you see the logs from other servers.

You can check the second running a simple search index=your_index

Ciao.

Giuseppe

Mahi4rus · ‎03-31-2021

Yes it it is connected to indexer and input.conf also configured i have checked the splunkd lao as we but i didn't see any error there

isoutamo · ‎03-31-2021

Your outputs.conf on UF is also on place and working?

You should found UF's internal logs on IDX by queries from SH like index=_internal host=<UF name*> source=*splunkd.log sourcetype=splunkd earliest=0

If you see something then UF has connection to your IDX if not then it haven't that connection. Then you should look UF's splunkd.log etc. locally on file system. There should be explanation why it cannot connect to IDX.

r. Ismo

aasabatini · ‎03-31-2021

Hi @Mahi4rus ,

te seaech head is connected with the indexers?

on the UF is already configured the inputs.conf?

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

in the search head I am not able to see the logs but logs are coming from the forwarder and no error found in splunkd

universal forwarder

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms