Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Logs Stopped Forwarding to Index

heats
Explorer
‎06-05-2017 05:51 AM

Everytime I think I have Splunk figured out - I don't.

Logs stopped forwarding from my server to a specific index. I can see that logs are still forwarding probably to the default group but as you can see from my inputs.conf file it SHOULD be going to jim_test. I can confirm this is in the system/local so the precedence should be ok. Most of what I'm seeing in splunkd.log on the forwarder are successful calls "home".

[default]
host = ctl-ansible0104
queueSize = 10MB
sslVersions = tls

[monitor:///var/log/messages]
disabled = false
index = jim_test
sourcetype = linux_messages_syslog

Not sure what other things I should be troubleshooting.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

heats
Explorer
‎06-05-2017 06:42 AM

Of course now it's working. Maybe I had my search syntax wrong 😞
I'm going to accept your answer since you took the time to reply to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...