Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are _internal logs from heavy forwarder(HF) not getting to indexers after a Splunkd restart but _audit are?

Rob2520
Communicator
‎09-12-2018 07:59 PM

All of a sudden, _internal logs from HF stopped coming to indexers after a Splunkd restart. But, i see _audit logs making it to indexers. And, I see splunkd.log on HF is growing. There is no change in inputs.conf or outputs.conf before restart. What could be the reason?

0 Karma
Reply

adobrzeniecki
Path Finder
‎10-05-2022 10:23 AM

Run  /opt/splunk/bin/splunk btool outputs list --debug


You should see that the whitelisted index list does not include _internal. It is a precedence issue.  For us the issue was because the SplunkForwarder app did not include _internal in the whitelist for indexes. Just put this in /opt/splunk/etc/system/local/outputs.conf OR /opt/splunk/etc/SplunkForwarder/local/outputs.conf

[tcpout] 
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)

 

 

0 Karma
Reply

tiagofbmm
Influencer
‎02-26-2019 04:15 AM

Use btool to check on your inputs for splunkd.log files:

/opt/splunk/bin/splunk btool inputs list --debug | grep -B 5 log/splunk

If there is no TCP_ROUTING sending those to somewhere strange, check the /opt/splunk/var/log on the HF to check the modtime of splunkd.

More, do a tail -f on splunkd.log to check if these are being written

Finally, on your Search Head do a | tstats count where host=yourhf by index, _time

and check if something else has stopped meanwhile from that host

0 Karma
Reply

tiagofbmm
Influencer
‎03-01-2019 03:06 AM

@Rob2520 please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-12-2018 08:17 PM

Check props.conf and/or transforms.conf if there is any filtering or routing configured. I know that _audit is not effected by those settings and therefore reaches your indexer. Also these kind of configuration changes need a Splunk restart to take effect.

cheers, MuS

0 Karma
Reply

Rob2520
Communicator
‎09-13-2018 08:06 PM

MuS, i don't see props or transforms related to splunkd logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...