Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Heavy Forwarder Problem

Darsh1561
Explorer
‎01-24-2023 05:38 AM

Hello Community,

I would like to inquire about some issues I am facing while setting up a heavy forwarder in splunk. Please take a look at the below issues :- 

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

2) Linux server are not able to forward logs to the indexer.

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

 

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 08:21 AM

Hi @Darsh1561m,

please detail your questions:

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

you mean that you see some hosts in the Deployment Server but that you don't see their logs or what else?

2) Linux server are not able to forward logs to the indexer.

are you meaning that all your Linux servers don't sed logs?

I suppose that you already configured:

  • your indexers and your Heavy Forwarders to receive logs,
  • your Forwarders to send logs to the Indexers or to Heavy Forwarders, 

how did you do this?

did you checked that the firewall routes between Forwarders and Indexers and Heavy Forwarders are open?

What's you architecture?

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

Which local configuration did you do?

are you using a Deployment server?

have you followed the instructions at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html or https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents or https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata ?

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

did you checked the timestamp of these events, is it correct?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 08:25 AM

You seem to have multiple separate problems here. So isolate them and try to troubleshoot one by one.

First question is what architecture do you have. Second - what _is_ working. Third - what change did you introduce lately. What was the expected behaviour after this change and what is the actual observed behaviour.

Don't try to do multiple things at once and then try to pinpoint why something is not working as expected because this way you can't track cause-effect relationships.

0 Karma
Reply
Solved! Jump to solution

Darsh1561
Explorer
‎01-28-2023 07:44 AM

Thanks for your input.

0 Karma
Reply
Solved! Jump to solution

aad
Loves-to-Learn
‎02-06-2023 09:22 PM

Thank you!  that make sense

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 11:30 PM

Hi at all,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 08:21 AM

Hi @Darsh1561m,

please detail your questions:

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

you mean that you see some hosts in the Deployment Server but that you don't see their logs or what else?

2) Linux server are not able to forward logs to the indexer.

are you meaning that all your Linux servers don't sed logs?

I suppose that you already configured:

  • your indexers and your Heavy Forwarders to receive logs,
  • your Forwarders to send logs to the Indexers or to Heavy Forwarders, 

how did you do this?

did you checked that the firewall routes between Forwarders and Indexers and Heavy Forwarders are open?

What's you architecture?

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

Which local configuration did you do?

are you using a Deployment server?

have you followed the instructions at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html or https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents or https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata ?

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

did you checked the timestamp of these events, is it correct?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...