Hi all,
I have 2 servers and each having 3 sources.
I am able to receive logs from 2 sources from 2 servers but not receiving logs from one source
I checked there are logs on the server and no permission issues
How to troubleshoot???
Verify the inputs are not disabled.
Use the splunk list monitor command to make sure the expected files are being monitored.
Check splunkd.log for messages relating to the files.
i checked disabled is 0
Use the splunk list monitor command --> for this i dont have access to universal forwarder to check
i mentioned the source which was not coming in the search with index=_internal source=splunkd but i don't see any logs.
Hi
here is one old answer (you could found lot of those) https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-a-universal-forwarder-lost-d... to solve this kind of issues.
r. Ismo
hi @isoutamo & @richgalloway , thank you for your inputs.
Actually the source was not added in inputs, i noticed it lately and added it, now i can see the logs.