Installation

Why isn't my UF sending data to indexer?

Ziadm
Path Finder

I just set up the UF on my DC (it's a lab environment) and I can confirm that both are connected on the specified ports using netstat but I'm not getting any logs from my DC.
I'm also using Splunk add-on for windows and enabled logs for sysmon and AD only.

This is my inputs  file for the add on.

Ziadm_1-1664900964212.png


And I keep getting  these errors in my Splunk instance 
here's also the log file for splunkd

Ziadm_0-1664900781505.png

 

Labels (3)
0 Karma
1 Solution

Ziadm
Path Finder

I cant believe it , the solution in this thread  worked for me https://community.splunk.com/t5/Monitoring-Splunk/Tcpout-Processor-The-TCP-output-processor-has-paus...

i don't even know how this outputs file got there but alright 

View solution in original post

0 Karma

Ziadm
Path Finder

another pic from the gui

Ziadm_0-1664904422177.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

as I asked in the previous question, I have some quistions trying to debug your issue:

  • does you UF send logs to the indexer?, you can check on the indexer running a simple search like "index=_internal host=<DC_hostname>"
  • If yes, how are you taking DC logs, which add-on are you using?
  • if not, check the connection between UF and IDX using "telnet <ip_indexer> 9997"

Ciao.

Giuseppe

0 Karma

Ziadm
Path Finder

So as i said already I'm not getting any logs from the DC and I'm using the Splunk add on for windows to get the logs  and yes i was able to telnet into using the 9997 port without an issue even though i didn't really need to because i had confirmed before with netstat that there was an established connection on this port between my dc and the Splunk instance and as per the this screen shot i believe it confirms that there's a connection between the two machines in fact  the deployment server is working fine  so i don't really know where the issue is to be honest , i had disabled the firewall on both machines but that didn't help at all

Ziadm_0-1664963009835.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

I'm not speaking of DC logs, I'm speaking of Splunk Universal Forwarder logs (index=_internal host=<DC-hostname>).

this is relevant to understand if the problem is in the connection or in the configuration.

Ciao.

Giuseppe

Ziadm
Path Finder

Ok my bad so i ran the search and no the UF isn't sending anything,
i also ran all the searches here and they all returned 0 events 
https://docs.splunk.com/Documentation/Splunk/7.2.4/Troubleshooting/Cantfinddata?_gl=1*ip55yp*_ga*NjE...2130356.1417374891.1664733351-617023476.1664733351
the last one though that i ran in the cli returned an ssl error that i think is irrelevant to my issue

0 Karma

Ziadm
Path Finder

you are more than welcome to remote into my lab and check things out yourself if you want to

0 Karma

Ziadm
Path Finder

I cant believe it , the solution in this thread  worked for me https://community.splunk.com/t5/Monitoring-Splunk/Tcpout-Processor-The-TCP-output-processor-has-paus...

i don't even know how this outputs file got there but alright 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ziadm,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...