Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarder is not always forwarding all the logs

dirkckau
New Member
‎02-20-2018 08:16 PM

Hi,

We are using Splunk 6.2.3 and everything are working fine before.

In our new project, we have some additional log files in one directory.

Our issue is that not all the target logs in that directory are forwarding to the indexer.
e.g. There are 20 log files, sometimes it can monitor only 15 log files, sometimes it can monitor only 16 log files after a restart, and sometimes all the 20 log files can be monitored after a restart.

From the splunkd log in the forwarder server, we couldn't find any errors in forwarding. Like the case only 15 log files are forwarding, the splunkd log is expected and saying that only 15 files are monitoring.

Does anyone have some similar experiences?

Regards,
Dirk

Tags (1)
0 Karma
Reply

dirkckau
New Member
‎02-27-2018 12:06 AM

Hi,

Do you know the capacity of a single forwarder?
We are wondering if the forward capacity is reached, as our logs are not small and there is only a single forwarder process in each server.

There are no indexer queue blockages.
The log roll over everyday.

Below with the input conf. 

##monitor:///home/tibco/ida/logs/ida*.log]
##index = main
##sourcetype = rrob
##disabled = false

[monitor:///home/tibco/ida/logs/ida*trace.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*access.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*java.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*jsvc.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*tracking.log]
index = main
sourcetype = rrob
disabled = false

Thanks and Regards,
Dirk

0 Karma
Reply

mwdbhyat
Builder
‎02-21-2018 06:13 AM

Hi,

Are there any indexer queue blockages? How often do the log files roll ? Can you send an example of what your inputs.conf looks like?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...