Receiver not receiving data from universal forward...

easedilctl · ‎05-24-2013

Hi,

I'm trying to congfigure a forwarder and the receiver doesn't get any data. Please help.

Forwarder's outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = vm1.sandbox:9997

[tcpout-server://vm1.sandbox:9997]

That was configured using splunk add forward-server command.

Below is the Receivers inputs.conf (configured via Splunk Web>Manager>Forwarding and receiving menu)

[splunktcp://9997]
connection_host = ip

Totally a newbie and trying to understand how these components work.

Thanks!

easedilctl · ‎05-29-2013

not sure what happened but I started seeing the logs after rebooting the server. here's the output of spunk list monitor command

Monitored Directories:
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/audit.log
/opt/app/splunkforwarder/var/log/splunk/first_install.log
/opt/app/splunkforwarder/var/log/splunk/license_audit.log
/opt/app/splunkforwarder/var/log/splunk/license_usage.log
/opt/app/splunkforwarder/var/log/splunk/metrics.log
/opt/app/splunkforwarder/var/log/splunk/scheduler.log
/opt/app/splunkforwarder/var/log/splunk/searchhistory.log
/opt/app/splunkforwarder/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_access.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stderr.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stdout.log
$SPLUNK_HOME/var/spool/splunk/...stash_new
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/alert_vm2db.log
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trm
Monitored Files:
$SPLUNK_HOME/etc/splunk.version

lguinn2 · ‎05-24-2013

Here is a great article on the Splunk wiki: Troubleshooting Monitor Inputs
i suggest that you skip the first part of the page on setting DEBUG mode, as the other suggestions on the page are generally both easier and more useful.

And as a very first step, I would log onto the forwarder and give the following command

splunk list monitor

which will tell you which files Splunk is reading. A quick peek at splunkd.log may be helpful, too; you can even search it with the following command:

index=_internal source=*splunkd.log

easedilctl · ‎05-29-2013

thank you for your help!

easedilctl · ‎05-24-2013

The following is what's on my inputs.conf in the forwarder:

[monitor:///opt/app/oracle/diag/rdbms/vm2db/vm2db/trace]

And yes, splunk user has permissions on those directories.

sdaniels · ‎05-24-2013

What is in your inputs.conf file on the forwarder?

Ayn · ‎05-24-2013

Did you configure inputs on the forwarder?

Receiver not receiving data from universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation