Receiver not receiving data from universal forward...

easedilctl · ‎05-24-2013

Hi,

I'm trying to congfigure a forwarder and the receiver doesn't get any data. Please help.

Forwarder's outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = vm1.sandbox:9997

[tcpout-server://vm1.sandbox:9997]

That was configured using splunk add forward-server command.

Below is the Receivers inputs.conf (configured via Splunk Web>Manager>Forwarding and receiving menu)

[splunktcp://9997]
connection_host = ip

Totally a newbie and trying to understand how these components work.

Thanks!

easedilctl · ‎05-29-2013

not sure what happened but I started seeing the logs after rebooting the server. here's the output of spunk list monitor command

Monitored Directories:
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/audit.log
/opt/app/splunkforwarder/var/log/splunk/first_install.log
/opt/app/splunkforwarder/var/log/splunk/license_audit.log
/opt/app/splunkforwarder/var/log/splunk/license_usage.log
/opt/app/splunkforwarder/var/log/splunk/metrics.log
/opt/app/splunkforwarder/var/log/splunk/scheduler.log
/opt/app/splunkforwarder/var/log/splunk/searchhistory.log
/opt/app/splunkforwarder/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_access.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stderr.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stdout.log
$SPLUNK_HOME/var/spool/splunk/...stash_new
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/alert_vm2db.log
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trm
Monitored Files:
$SPLUNK_HOME/etc/splunk.version

lguinn2 · ‎05-24-2013

Here is a great article on the Splunk wiki: Troubleshooting Monitor Inputs
i suggest that you skip the first part of the page on setting DEBUG mode, as the other suggestions on the page are generally both easier and more useful.

And as a very first step, I would log onto the forwarder and give the following command

splunk list monitor

which will tell you which files Splunk is reading. A quick peek at splunkd.log may be helpful, too; you can even search it with the following command:

index=_internal source=*splunkd.log

easedilctl · ‎05-29-2013

thank you for your help!

easedilctl · ‎05-24-2013

The following is what's on my inputs.conf in the forwarder:

[monitor:///opt/app/oracle/diag/rdbms/vm2db/vm2db/trace]

And yes, splunk user has permissions on those directories.

sdaniels · ‎05-24-2013

What is in your inputs.conf file on the forwarder?

Ayn · ‎05-24-2013

Did you configure inputs on the forwarder?

Receiver not receiving data from universal forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Receiver not receiving data from universal forwarder

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem