Re: Forwarder logs not generated

I29851 · ‎04-19-2022

Hello all

In our environment some universal forwarders are not reporting to Splunk cloud. When I tried to view forwarder log file i.e. splunkd.log I found that for past one week no log was present in the file. What maybe the reason? Is it related to forwarder not sending logs to Splunk index?

Thank you

PickleRick · ‎04-19-2022

If the splunkd.log is not generated locally on the UF machine, it's not surprising that there are no events forwarded to the indexers. By default splunk logs its own internals to files and then ingests the entries from those files and forwards them to indexers to the _internal index. So if there is nothing to read, there's nothing to forward.

But the question is whether the splunk forwarder process is running at all.

If it's not running, you should try to find (in system-wide logs, maybe last entries in splunkd.log will shed some light) why the process was stopped.

VatsalJagani · ‎04-19-2022

@I29851

Are Splunk services running? (./splunk status)
Is permission of the file system accessible by the user who is currently running the Splunk service?

---
I could see only these 2 main reasons Splunk not generating internal logs.

Why are Forwarder logs not generated?

administration

Splunk Investigate

troubleshooting

using Splunk Cloud

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?