missing data in All Forwarders - Splunk Deployment...

bkaspar · ‎03-21-2011

We just updated to 4.2 on our splunk server, and I am in the midst of pushing the Universal Forwarder out to replace out light forwarders. The problem I have on one of your two installations is a lack of data in the Deployment Monitor. On one network the All forwarders list has all our clients, their version, all kind of handy stuff. On the other, nothing, totally empty. It seems like it's capturing the same data in the metric logs, it's just not getting indexed. Any idea on how to sort that out?

sideview · ‎03-21-2011

I believe but I'm not sure, that the Splunk Deployment Monitor app needs the forwarders to all be 4.2 forwarders. And if they are not, I suspect you'd see the 'total emptiness' that you're seeing. Just an idea.

jbsplunk · ‎03-21-2011

If the data is being captured in the metrics.log, it has been indexed, otherwise you wouldn't see it recorded. Since the data is in metrics.log, it is likely the data is coming in and being indexed in a way that you do not expect. Perhaps it is being timestamped improperly, or sent to an index that you aren't searching. I would try to do an all time, real time search looking for the data that your seeing in metrics.log to see what the events look like, and from there you should probably be able to figure out how to tackle the problem.

missing data in All Forwarders - Splunk Deployment App

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation