Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

server not listing data

new2splunk21
Loves-to-Learn
‎10-16-2024 09:10 AM

I have 5 forwarders forwarding data to my Splunk server

 

but when I log into this server only two of them are listed this

 

 

When I do a TCP dump on the server I can see the forwarder is communicating and sending data but when I log into the web UI the forwarder is not listed

 

does anybody know what this might be?  the configs on all forwrders is the same.

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2024 12:28 PM

The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and still be sending data and be functioning perfectly well.

So what is the actual problem?

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:50 PM

and under messages it s ays

new2splunk21_0-1729108194949.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2024 11:15 PM

Hi @new2splunk21 ,

I see many different issues that maybe can be reconducted to the same one:

are you sure that the indexers has the resources (storage) to receive all logs? because the message in the last screenshot seems to indicate that there's an issue in the receiver and not in the Forwarder.

Then, did you ever received logs from all the 5 forwarders?

if not, maybe you used the same hostname in some forwarders.

run a search on _internal to see if you have logs from all the forwarders:

index=_internal

Ciao.

Giuseppe

Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:46 PM

they're not showing up when i go to search and type index="host_audits"

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-21-2024 06:16 AM

I found the problem, when Splunk was installed it got installed as a heavy forwarder., so it was looking for the next indexer.  

 

I deleted outputs.conf,  restarted Splunk and it started working.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2024 11:44 AM

Hi @new2splunk21 ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...