Splunk Cloud Platform

Why are Forwarder logs not generated?


Hello all

In our environment some universal forwarders are not reporting to Splunk cloud. When I tried to view forwarder log file i.e. splunkd.log I found that for past one week no log was present in the file. What maybe the reason? Is it related to forwarder not sending logs to Splunk index?


Thank you

0 Karma


If the splunkd.log is not generated locally on the UF machine, it's not surprising that there are no events forwarded to the indexers. By default splunk logs its own internals to files and then ingests the entries from those files and forwards them to indexers to the _internal index. So if there is nothing to read, there's nothing to forward.

But the question is whether the splunk forwarder process is running at all.

If it's not running, you should try to find (in system-wide logs, maybe last entries in splunkd.log will shed some light) why the process was stopped.

0 Karma



  • Are Splunk services running? (./splunk status)
  • Is permission of the file system accessible by the user who is currently running the Splunk service?

I could see only these 2 main reasons Splunk not generating internal logs.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...