Re: unable to send data to indexer.

sherrysafdar · ‎09-07-2019

Hello, this is my forwarder inputs.conf looks like but I am unable to see any data in the second index cisco_asa.

index fortinet works just fine.

[default]
host = ABC

[monitor://D:\Syslog\Fortinet]
index = fortinet
sourcetype = fortigate

[monitor://D:\Syslog\ASA]
index = cisco_asa
sourcetype = cisco:asa

Please advise!

ashutoshab · ‎09-07-2019

Based on your inputs, I am putting few ways where it might have gone wrong.

There is no data in D:\Syslog\ASA. But as you said, there is data.
Check the user splunk running with, does he have permission to access D:\Syslog\ASA
On indexer, there is no index created with the name cisco_asa. In such case, the indexer will throw warnings that there is data coming for this index which in not present.
The most common mistake, the data is perfectly indexed in index=cisco_asa but, the User Role you are logged in with does not have 'cisco_asa' index added to searchable list. Using Admin user, Please visit Settings >>> access control >>> [your user role] >>> check the list of indexes allowed to be searched for your role.

Above are some causes that make some indexed data not searchable. Please do a check and revert.

richgalloway · ‎09-07-2019

Can you see any data in index=fortinet?
Is there data in D:\Syslog\ASA?
Are there any relevant messages in the forwarder's splunkd.log?

---
If this reply helps you, Karma would be appreciated.

sherrysafdar · ‎09-07-2019

Yes, I can see data in index=fortinet

However, I cannot see any data in index=cisco_asa

Yes, there is data is D:\Syslog\ASA

unable to send data to indexer.