Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- splunk universal forwarder
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunk universal forwarder
kowsikreddy
Loves-to-Learn
12-07-2020
05:34 AM
Hi
Actually we are forwarding data from 2 forwarders servers to the indexer server, from one forwarder server we are receiving the data in indexer server and in search head also we can see data but we are not receiving the data in indexer server from other forwarder server.
Even in the forwarder server logs we can see it is connected to indexer but logs are not getting forward to the indexer server.
We can see below logs in splunkd as below
12-07-2020 12:38:07.059 +0100 INFO TcpOutputProc - Connected to idx=xx.xx.xx.xx:9998, pset=0, reuse=0.
12-07-2020 12:38:07.091 +0100 INFO WatchedFile - Will begin reading at offset=20396720 for file='E:\Apps\SplunkUniversalForwarder\var\log\splunk\metrics.log'.
12-07-2020 12:38:07.106 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='E:\Apps\SplunkUniversalForwarder\var\log\splunk\license_usage.log'.
12-07-2020 12:38:07.153 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='E:\Apps\SplunkUniversalForwarder\var\log\splunk\remote_searches.log'.
Below log can see in helat.log
TCPOutAutoLB-0 - More than 70% of forwarding destinations have failed
Outputs.conf file
[tcpout]
defaultGroup = lb
[tcpout:lb]
server =xxx.xxx.com:9998
autoLB = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kowsikreddy
Loves-to-Learn
12-17-2020
02:37 AM
Thanks @96nick
Actaully we are using outputs.conf in other folder also (E:\APPS\SplunkUniversalForwarder\etc\system\local) apart from E:\APPS\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local due to that it is processing data to old indexer server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
96nick
Communicator
12-07-2020
08:37 AM
A few things I'd look at first:
- Do a diff on each of the files in your config that have to do with forwarding to see if there are any differences
- Check the _internal logs on your server
- Check the networking
You didn't mention if the two forwarders were on the same or different networks, but if they are there could be a firewall blocking the events from arriving to your indexer. Run a search on your indexer like "index=_internal source=*splunkd.log host={your-host-that-doesn't-work}" and see what shows up.
Run a search for that specific host on your indexer with 'All Time'. Sounds crazy, but the timestamps might be wack. Also make sure you can view the index you are sending your data (especially if you recently created your user account). I know I've made that mistake before :).
Official docs regarding your issue:
Hope that helped!
Related Topics
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
