Test Environment consists of: 1 UF 6.2.0 on RHEL 6 sending to Splunk 6.2.1 on RHEL 6 server.
On the UF "splunk list forward-server" shows the forwarder as active and "splunk list monitor" shows the log files to monitor. Splunk log confirms connection to 9997 on indexer.
On the indexer port 9997 is created to receive and netstat confirms connectivity from UF. SELinux is disabled. Searching "index=_internal source=*metrics.log tcpin_connections" shows _tcp_Kprocessed=62.46. But when searching the index there is nothing. Starting in debug mode doesn't show any errors so I'm not sure where else to check or what other permissions might need to be adjusted.
Does anyone have any suggestions or ideas?
... View more