Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

server not listing data

new2splunk21
Loves-to-Learn
‎10-16-2024 09:10 AM

I have 5 forwarders forwarding data to my Splunk server

 

but when I log into this server only two of them are listed this

 

 

When I do a TCP dump on the server I can see the forwarder is communicating and sending data but when I log into the web UI the forwarder is not listed

 

does anybody know what this might be?  the configs on all forwrders is the same.

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-16-2024 12:28 PM

The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and still be sending data and be functioning perfectly well.

So what is the actual problem?

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:50 PM

and under messages it s ays

new2splunk21_0-1729108194949.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2024 11:15 PM

Hi @new2splunk21 ,

I see many different issues that maybe can be reconducted to the same one:

are you sure that the indexers has the resources (storage) to receive all logs? because the message in the last screenshot seems to indicate that there's an issue in the receiver and not in the Forwarder.

Then, did you ever received logs from all the 5 forwarders?

if not, maybe you used the same hostname in some forwarders.

run a search on _internal to see if you have logs from all the forwarders:

index=_internal

Ciao.

Giuseppe

Reply

new2splunk21
Loves-to-Learn
‎10-16-2024 12:46 PM

they're not showing up when i go to search and type index="host_audits"

0 Karma
Reply

new2splunk21
Loves-to-Learn
‎10-21-2024 06:16 AM

I found the problem, when Splunk was installed it got installed as a heavy forwarder., so it was looking for the next indexer.  

 

I deleted outputs.conf,  restarted Splunk and it started working.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-21-2024 11:44 AM

Hi @new2splunk21 ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...