Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Heavy Forwarder Problem

Darsh1561
Explorer
‎01-24-2023 05:38 AM

Hello Community,

I would like to inquire about some issues I am facing while setting up a heavy forwarder in splunk. Please take a look at the below issues :- 

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

2) Linux server are not able to forward logs to the indexer.

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

 

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 08:21 AM

Hi @Darsh1561m,

please detail your questions:

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

you mean that you see some hosts in the Deployment Server but that you don't see their logs or what else?

2) Linux server are not able to forward logs to the indexer.

are you meaning that all your Linux servers don't sed logs?

I suppose that you already configured:

  • your indexers and your Heavy Forwarders to receive logs,
  • your Forwarders to send logs to the Indexers or to Heavy Forwarders, 

how did you do this?

did you checked that the firewall routes between Forwarders and Indexers and Heavy Forwarders are open?

What's you architecture?

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

Which local configuration did you do?

are you using a Deployment server?

have you followed the instructions at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html or https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents or https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata ?

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

did you checked the timestamp of these events, is it correct?

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 08:25 AM

You seem to have multiple separate problems here. So isolate them and try to troubleshoot one by one.

First question is what architecture do you have. Second - what _is_ working. Third - what change did you introduce lately. What was the expected behaviour after this change and what is the actual observed behaviour.

Don't try to do multiple things at once and then try to pinpoint why something is not working as expected because this way you can't track cause-effect relationships.

0 Karma
Reply
Solved! Jump to solution

Darsh1561
Explorer
‎01-28-2023 07:44 AM

Thanks for your input.

0 Karma
Reply
Solved! Jump to solution

aad
Loves-to-Learn
‎02-06-2023 09:22 PM

Thank you!  that make sense

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-06-2023 11:30 PM

Hi at all,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-24-2023 08:21 AM

Hi @Darsh1561m,

please detail your questions:

1) Hosts are visible in splunk but all of them are not forwarding their logs to the indexer.

you mean that you see some hosts in the Deployment Server but that you don't see their logs or what else?

2) Linux server are not able to forward logs to the indexer.

are you meaning that all your Linux servers don't sed logs?

I suppose that you already configured:

  • your indexers and your Heavy Forwarders to receive logs,
  • your Forwarders to send logs to the Indexers or to Heavy Forwarders, 

how did you do this?

did you checked that the firewall routes between Forwarders and Indexers and Heavy Forwarders are open?

What's you architecture?

3) Some host are able to forward their logs to indexer post a modification in their universal forwarder file manually, but it takes an hour or so before they forward their logs.

Which local configuration did you do?

are you using a Deployment server?

have you followed the instructions at https://www.splunk.com/en_us/resources/videos/getting-data-in-with-forwarders.html or https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Usingforwardingagents or https://docs.splunk.com/Documentation/Splunk/9.0.3/Forwarding/Aboutforwardingandreceivingdata ?

4) The most recently added do not show their logs in real time i.e. when a time frame recently added devices should logs in last 4 hours or 60 minutes but they do show only post 24 hours time filter.

did you checked the timestamp of these events, is it correct?

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...