Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Logs Stopped Forwarding to Index

heats
Explorer
‎06-05-2017 05:51 AM

Everytime I think I have Splunk figured out - I don't.

Logs stopped forwarding from my server to a specific index. I can see that logs are still forwarding probably to the default group but as you can see from my inputs.conf file it SHOULD be going to jim_test. I can confirm this is in the system/local so the precedence should be ok. Most of what I'm seeing in splunkd.log on the forwarder are successful calls "home".

[default]
host = ctl-ansible0104
queueSize = 10MB
sslVersions = tls

[monitor:///var/log/messages]
disabled = false
index = jim_test
sourcetype = linux_messages_syslog

Not sure what other things I should be troubleshooting.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎06-05-2017 06:00 AM

after adding /var/log/messages, did you restart the Splunk on UF?

the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?

Reply
Solved! Jump to solution

heats
Explorer
‎06-05-2017 06:42 AM

Of course now it's working. Maybe I had my search syntax wrong 😞
I'm going to accept your answer since you took the time to reply to me.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...