Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Universal Forwarder - Not Forwarding Data - Intermittent Issue

madhav_dholakia
Contributor
‎06-16-2022 04:35 AM

Hi All,

We have a universal forwarder running on Windows Server which is sending data to our Splunk Instance in Cloud.

Below are some details of .conf files and logs:

inputs.conf

[default]
host = DB_DATA

[monitor://D:\ABC\DB_Monitoring\Cust]
disabled=0
index=rjsql
sourcetype = csv
crcSalt = <SOURCE>
time_before_close = 60

props.conf

[default]
NO_BINARY_CHECK=true
CHARSET=AUTO

[source::D:\ABC\DB_Monitoring\Cust\*.csv]
CHECK_METHOD = modtime

There are some files which are either 1) no being indexed at all 2) only headers are indexed - this doesn't happen with all the files, only some of them.

Logs from _internal (for file which has got only header indexed)

madhav_dholakia_1-1655378730697.png

Tailing processer file status

madhav_dholakia_2-1655378896371.png

btool output:

madhav_dholakia_3-1655379120242.png

Can you please suggest what else I could check here and resolve this intermittent issue?

Thank you.

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 06:08 AM

@madhav_dholakia - Your configuration looks correct to me.

 

I think you should observe how your system is overriding the data in the CSV files every time, how and when they are writing in the file, what is the size of the files, and how long it's taking to write a file.

Please monitor the above parameters on the host for files which are having this more than other files and compare. I think that should lead you to the root cause that is causing this intermittent issue.

 

I hope this helps!!!

0 Karma
Reply

madhav_dholakia
Contributor
‎06-16-2022 06:19 AM

thanks, @VatsalJagani - these files are <10KBs and updated every 15 days/month. With a time_before_close param set, I don't think file writing will take more time looking at the file size.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-16-2022 06:51 AM

Yeah, file size, I don't think should be a problem here then.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...