Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

running log on splunk heavy forwarder

trojan_81
Path Finder
‎03-16-2020 12:22 PM

I have a heavy forwarder onprem installed on a windows OS.

I am troubleshooting why logs are not coming into the splunk cloud indexer from a cloud service over API. The api is between my onprem splunk heavy forwarder and the cloud service. I suspect the problem is on the cloud service side. I need a way to tell if the logs are even making it to my heavy forwarder. Is there a way to tail a running log on the heavy forwarder?

Also I am referring to the onprem slunk server as a heavy forwarder. Is that the proper term? It sends data to the cloud indexer.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 01:10 PM

Look in \Program Files\Splunk\var\log\splunk\splunkd.log for errors connecting to Splunk Cloud. They'll probably be associated with the TcpOutputProc component. If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal (component=TcpOutputProc OR SSL).

Problems connecting to Splunk Cloud are usually on the on-prem side. Firewalls often block connections. Certificates may be missing or in the wrong location. The OS may not support the right version of SSL. The logs should offer suggestions about the cause in your case.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

trojan_81
Path Finder
‎03-16-2020 01:26 PM

Rich. Other apps are able to get logs into this Forwarder via REST API and the logs are searchable on splunk cloud indexer. That tells me that the Forwarder is probably ok. I just need a way to show proof so that I can go back to the vendor's app side.
Proof will be confirming that the logs are not making it to the Forwarder.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-16-2020 05:53 PM

I still recommend checking firewalls at both ends. Verify the app has the right URI.

If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal component=TcpInputProc for errors or warnings about incoming connections.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...