Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs Stopped Forwarding to Index

heats
Explorer
‎06-05-2017 05:51 AM

Everytime I think I have Splunk figured out - I don't.

Logs stopped forwarding from my server to a specific index. I can see that logs are still forwarding probably to the default group but as you can see from my inputs.conf file it SHOULD be going to jim_test. I can confirm this is in the system/local so the precedence should be ok. Most of what I'm seeing in splunkd.log on the forwarder are successful calls "home".

[default]
host = ctl-ansible0104
queueSize = 10MB
sslVersions = tls

[monitor:///var/log/messages]
disabled = false
index = jim_test
sourcetype = linux_messages_syslog

Not sure what other things I should be troubleshooting.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

heats
Explorer
‎06-05-2017 06:42 AM

Of course now it's working. Maybe I had my search syntax wrong 😞
I'm going to accept your answer since you took the time to reply to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...