Splunk Search
Highlighted

I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Explorer

Hi,

I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:

[default]
host = name1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor://C:\Program Files (x86)\FileZilla Server\Logs\]
host = name1
index=FTP_logs_2
source="C:\Program Files (x86)\FileZilla Server\Logs\"
disabled = 0
whitelist=.log$
#ignoreOlderThan = 7d
#blacklist=C:\logs\onelog.log

The goal is to monitor FileZilla logs.
Index has been created on indexer.

When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.

Can anyone help me ?
Thanks,

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Builder

Are you the only user on your system? Is your role able to search that index?

You should also make sure to define the sourcetype that you're interested in in your inputs.conf stanza.

Lastly is there a reason for using the whitelist setting? Are there some logs in that directory you're not interested in?

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Explorer

I'm the only user and I'm with the default admin account.

I tried whitelist to troubleshoot but its not effective.

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Splunk Employee
Splunk Employee

On the forwarder try running the command from the splunk folder bin/splunk list forward-server
Does it say that the connection between the forwarder and the Splunk server is active?

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Explorer

This forwarder is a Windows. How to check this on this OS please ? Thanks

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

SplunkTrust
SplunkTrust

From a cmd prompt, run

C:\Program Files\SplunkUniversalForwarder\bin\splunk list forward-server

Or also from cmd
change to drive C: if it isn't already.
cd into \Program Files\SplunkUniversalForwarder\bin
type splunk list forward-server

Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Ultra Champion

What do you see when you search for host=name1?

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Explorer

I see "No results found" 😞

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Contributor

If you search for index=internal, do you see any events from the host? If not look at the logs on the forwarder, these will be in %SPLUNKHOME%\var\log\splunk. Two useful ones to start with are the splunkd.log and the metrics.log.

Do you see errors in the splunkd.log?

Do you see any records in the metrics.log where group=perindexthruput, series="FTPlogs2"?

Dave

0 Karma
Highlighted

Re: I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Explorer

Actually, I do, with the filter "index=_internal host=name1".

I did not see errors in splunkd.log on the forwarder.

I see records like this one on metrics.log :
"07-07-2016 10:59:23.448 +0200 INFO Metrics - group=perindexthruput, series="ftplogs2", kbps=1.134435, eps=1.290304, kb=35.167969, ev=40, avgage=375332.150000, maxage=1073997"

0 Karma