Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

server not listing data

new2splunk21
Loves-to-Learn
‎10-16-2024 09:10 AM

I have 5 forwarders forwarding data to my Splunk server

 

but when I log into this server only two of them are listed this

 

 

When I do a TCP dump on the server I can see the forwarder is communicating and sending data but when I log into the web UI the forwarder is not listed

 

does anybody know what this might be?  the configs on all forwrders is the same.

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2024 12:28 PM

The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and still be sending data and be functioning perfectly well.

So what is the actual problem?

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:50 PM

and under messages it s ays

new2splunk21_0-1729108194949.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2024 11:15 PM

Hi @new2splunk21 ,

I see many different issues that maybe can be reconducted to the same one:

are you sure that the indexers has the resources (storage) to receive all logs? because the message in the last screenshot seems to indicate that there's an issue in the receiver and not in the Forwarder.

Then, did you ever received logs from all the 5 forwarders?

if not, maybe you used the same hostname in some forwarders.

run a search on _internal to see if you have logs from all the forwarders:

index=_internal

Ciao.

Giuseppe

Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:46 PM

they're not showing up when i go to search and type index="host_audits"

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-21-2024 06:16 AM

I found the problem, when Splunk was installed it got installed as a heavy forwarder., so it was looking for the next indexer.  

 

I deleted outputs.conf,  restarted Splunk and it started working.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2024 11:44 AM

Hi @new2splunk21 ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...