Getting Data In

server not listing data

new2splunk21
Loves-to-Learn

I have 5 forwarders forwarding data to my Splunk server

 

but when I log into this server only two of them are listed this

 

 

When I do a TCP dump on the server I can see the forwarder is communicating and sending data but when I log into the web UI the forwarder is not listed

 

does anybody know what this might be?  the configs on all forwrders is the same.

Labels (4)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and still be sending data and be functioning perfectly well.

So what is the actual problem?

0 Karma

new2splunk21
Loves-to-Learn

and under messages it s ays

new2splunk21_0-1729108194949.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @new2splunk21 ,

I see many different issues that maybe can be reconducted to the same one:

are you sure that the indexers has the resources (storage) to receive all logs? because the message in the last screenshot seems to indicate that there's an issue in the receiver and not in the Forwarder.

Then, did you ever received logs from all the 5 forwarders?

if not, maybe you used the same hostname in some forwarders.

run a search on _internal to see if you have logs from all the forwarders:

index=_internal

Ciao.

Giuseppe

new2splunk21
Loves-to-Learn

they're not showing up when i go to search and type index="host_audits"

0 Karma

new2splunk21
Loves-to-Learn

I found the problem, when Splunk was installed it got installed as a heavy forwarder., so it was looking for the next indexer.  

 

I deleted outputs.conf,  restarted Splunk and it started working.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @new2splunk21 ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...