Getting Data In

where my forwarded messages has been indexed?

davidepala
Path Finder

Hi guys!
i've this scenario:

hq-splunk-fwd-01                       splunk-fwd-01                  splunk01
syslogsrv + universal forwarder => syslogsrv + universal forwarder => indexer

hq- forwarder is installed on a centos in a different networkfrom the other parts of installation but it can reach splunk-fd-01 with routing. I've already some UF on other windows VM that communicate with splunk-fwd-01 without problem. i think that isn't a network problem but is a my fault on some configuration ... on hq-splunk-01 i've a syslogngsrv such as on splunk-fwd-01 ... i've set splunk-fwd-01 as forwarder in the outputs.conf of hq-splunk-fwd01 (port 9996) and a monitor stanza for /var/log/syslog/myfolder .... but i can't find anything on my splunk ... i've checked metrics.log with this query:

index = _internal | search "x.x.x.x" source="/opt/splunkforwarder/var/log/splunk/metrics.log"

where x.x.x.x is the IP of hq-splunk.fwd-01 ... see the attachment for output alt text

I can see the connection but don't find the events ... in other word: where is my data!

0 Karma

tiagofbmm
Influencer

Have you set your indexer with an inputs.conf and a stanza

[splunktcp:9996]?

0 Karma

davidepala
Path Finder

Other forwarders works fine ... all of it using the stanza you've suggest

0 Karma

davidepala
Path Finder

for mor correct info: index have 9997 on his inputs.conf stanza and splunk.fwd-01 9996 ... i'm using 9996 on splunk-fwd-01

0 Karma

tiagofbmm
Influencer

That's the problem. Those forwarders are sending to a port that is not open in the indexer. So you need to add the stanza with th 9996 on the indexer inputs.conf too. Or repoint those forwarders outputs.conf to send to the port 9997

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...