Re: Forwarder logs not generated

I29851 · ‎04-19-2022

Hello all

In our environment some universal forwarders are not reporting to Splunk cloud. When I tried to view forwarder log file i.e. splunkd.log I found that for past one week no log was present in the file. What maybe the reason? Is it related to forwarder not sending logs to Splunk index?

Thank you

PickleRick · ‎04-19-2022

If the splunkd.log is not generated locally on the UF machine, it's not surprising that there are no events forwarded to the indexers. By default splunk logs its own internals to files and then ingests the entries from those files and forwards them to indexers to the _internal index. So if there is nothing to read, there's nothing to forward.

But the question is whether the splunk forwarder process is running at all.

If it's not running, you should try to find (in system-wide logs, maybe last entries in splunkd.log will shed some light) why the process was stopped.

VatsalJagani · ‎04-19-2022

@I29851

Are Splunk services running? (./splunk status)
Is permission of the file system accessible by the user who is currently running the Splunk service?

---
I could see only these 2 main reasons Splunk not generating internal logs.

Why are Forwarder logs not generated?

administration

Splunk Investigate

troubleshooting

using Splunk Cloud

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation