Hi @Ziadm,

as I asked in the previous question, I have some quistions trying to debug your issue:

• does you UF send logs to the indexer?, you can check on the indexer running a simple search like "index=_internal host=<DC_hostname>"
• If yes, how are you taking DC logs, which add-on are you using?
• if not, check the connection between UF and IDX using "telnet <ip_indexer> 9997"

Ciao.

Giuseppe

So as i said already I'm not getting any logs from the DC and I'm using the Splunk add on for windows to get the logs  and yes i was able to telnet into using the 9997 port without an issue even though i didn't really need to because i had confirmed before with netstat that there was an established connection on this port between my dc and the Splunk instance and as per the this screen shot i believe it confirms that there's a connection between the two machines in fact  the deployment server is working fine  so i don't really know where the issue is to be honest , i had disabled the firewall on both machines but that didn't help at all

Hi @Ziadm,

I'm not speaking of DC logs, I'm speaking of Splunk Universal Forwarder logs (index=_internal host=<DC-hostname>).

this is relevant to understand if the problem is in the connection or in the configuration.

Ciao.

Giuseppe

Ok my bad so i ran the search and no the UF isn't sending anything,
i also ran all the searches here and they all returned 0 events 
https://docs.splunk.com/Documentation/Splunk/7.2.4/Troubleshooting/Cantfinddata?_gl=1*ip55yp*_ga*NjE...2130356.1417374891.1664733351-617023476.1664733351
the last one though that i ran in the cli returned an ssl error that i think is irrelevant to my issue

you are more than welcome to remote into my lab and check things out yourself if you want to

Hi @Ziadm,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉