Getting Data In
Highlighted

running log on splunk heavy forwarder

Explorer

I have a heavy forwarder onprem installed on a windows OS.

I am troubleshooting why logs are not coming into the splunk cloud indexer from a cloud service over API. The api is between my onprem splunk heavy forwarder and the cloud service. I suspect the problem is on the cloud service side. I need a way to tell if the logs are even making it to my heavy forwarder. Is there a way to tail a running log on the heavy forwarder?

Also I am referring to the onprem slunk server as a heavy forwarder. Is that the proper term? It sends data to the cloud indexer.

0 Karma
Highlighted

Re: running log on splunk heavy forwarder

SplunkTrust
SplunkTrust

Look in \Program Files\Splunk\var\log\splunk\splunkd.log for errors connecting to Splunk Cloud. They'll probably be associated with the TcpOutputProc component. If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal (component=TcpOutputProc OR SSL).

Problems connecting to Splunk Cloud are usually on the on-prem side. Firewalls often block connections. Certificates may be missing or in the wrong location. The OS may not support the right version of SSL. The logs should offer suggestions about the cause in your case.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: running log on splunk heavy forwarder

Explorer

Rich. Other apps are able to get logs into this Forwarder via REST API and the logs are searchable on splunk cloud indexer. That tells me that the Forwarder is probably ok. I just need a way to show proof so that I can go back to the vendor's app side.
Proof will be confirming that the logs are not making it to the Forwarder.

0 Karma
Highlighted

Re: running log on splunk heavy forwarder

SplunkTrust
SplunkTrust

I still recommend checking firewalls at both ends. Verify the app has the right URI.

If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal component=TcpInputProc for errors or warnings about incoming connections.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.