Receiver not receiving data from universal forward...

easedilctl · ‎05-24-2013

Hi,

I'm trying to congfigure a forwarder and the receiver doesn't get any data. Please help.

Forwarder's outputs.conf:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = vm1.sandbox:9997

[tcpout-server://vm1.sandbox:9997]

That was configured using splunk add forward-server command.

Below is the Receivers inputs.conf (configured via Splunk Web>Manager>Forwarding and receiving menu)

[splunktcp://9997]
connection_host = ip

Totally a newbie and trying to understand how these components work.

Thanks!

easedilctl · ‎05-29-2013

not sure what happened but I started seeing the logs after rebooting the server. here's the output of spunk list monitor command

Monitored Directories:
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/audit.log
/opt/app/splunkforwarder/var/log/splunk/first_install.log
/opt/app/splunkforwarder/var/log/splunk/license_audit.log
/opt/app/splunkforwarder/var/log/splunk/license_usage.log
/opt/app/splunkforwarder/var/log/splunk/metrics.log
/opt/app/splunkforwarder/var/log/splunk/scheduler.log
/opt/app/splunkforwarder/var/log/splunk/searchhistory.log
/opt/app/splunkforwarder/var/log/splunk/splunkd.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_access.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stderr.log
/opt/app/splunkforwarder/var/log/splunk/splunkd_stdout.log
$SPLUNK_HOME/var/spool/splunk/...stash_new
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/alert_vm2db.log
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_dbrm_18753.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_j001_18973.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_mmon_18771.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vkrm_18831.trm
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trc
/opt/app/oracle/diag/rdbms/vm2db/vm2db/trace/vm2db_vktm_18745.trm
Monitored Files:
$SPLUNK_HOME/etc/splunk.version

lguinn2 · ‎05-24-2013

Here is a great article on the Splunk wiki: Troubleshooting Monitor Inputs
i suggest that you skip the first part of the page on setting DEBUG mode, as the other suggestions on the page are generally both easier and more useful.

And as a very first step, I would log onto the forwarder and give the following command

splunk list monitor

which will tell you which files Splunk is reading. A quick peek at splunkd.log may be helpful, too; you can even search it with the following command:

index=_internal source=*splunkd.log

easedilctl · ‎05-29-2013

thank you for your help!

easedilctl · ‎05-24-2013

The following is what's on my inputs.conf in the forwarder:

[monitor:///opt/app/oracle/diag/rdbms/vm2db/vm2db/trace]

And yes, splunk user has permissions on those directories.

sdaniels · ‎05-24-2013

What is in your inputs.conf file on the forwarder?

Ayn · ‎05-24-2013

Did you configure inputs on the forwarder?

Receiver not receiving data from universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...