Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are _internal logs from heavy forwarder(HF) not getting to indexers after a Splunkd restart but _audit are?

Rob2520
Communicator
‎09-12-2018 07:59 PM

All of a sudden, _internal logs from HF stopped coming to indexers after a Splunkd restart. But, i see _audit logs making it to indexers. And, I see splunkd.log on HF is growing. There is no change in inputs.conf or outputs.conf before restart. What could be the reason?

0 Karma
Reply

adobrzeniecki
Path Finder
‎10-05-2022 10:23 AM

Run  /opt/splunk/bin/splunk btool outputs list --debug


You should see that the whitelisted index list does not include _internal. It is a precedence issue.  For us the issue was because the SplunkForwarder app did not include _internal in the whitelist for indexes. Just put this in /opt/splunk/etc/system/local/outputs.conf OR /opt/splunk/etc/SplunkForwarder/local/outputs.conf

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

 

 

0 Karma
Reply

tiagofbmm
Influencer
‎02-26-2019 04:15 AM

Use btool to check on your inputs for splunkd.log files:

/opt/splunk/bin/splunk btool inputs list --debug | grep -B 5 log/splunk

If there is no TCP_ROUTING sending those to somewhere strange, check the /opt/splunk/var/log on the HF to check the modtime of splunkd.

More, do a tail -f on splunkd.log to check if these are being written

Finally, on your Search Head do a | tstats count where host=yourhf by index, _time

and check if something else has stopped meanwhile from that host

0 Karma
Reply

tiagofbmm
Influencer
‎03-01-2019 03:06 AM

@Rob2520 please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma
Reply

MuS
Legend
‎09-12-2018 08:17 PM

Check props.conf and/or transforms.conf if there is any filtering or routing configured. I know that _audit is not effected by those settings and therefore reaches your indexer. Also these kind of configuration changes need a Splunk restart to take effect.

cheers, MuS

0 Karma
Reply

Rob2520
Communicator
‎09-13-2018 08:06 PM

MuS, i don't see props or transforms related to splunkd logs.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...