Hi
Is this particular forwarder managing to transmit any data to the indexer? As romedome suggested "Monitor another file in a different directory and confirm that you are able to index it." Does that work?
If I'm interpreting the DEBUG events correctly, they appear to indicate that the fishbucket pointers are being advanced and data is being read from /var/log/snmptrapd.log. I'd check the metrics.log files on the forwarder to see if there's any reference to data being processed for the source /var/log/snmptrapd.log, or with the appropriate sourcetype. The events you're looking for will contain
group=per_source_thruput, series="/var/log/snmptrapd.log"
or
group=per_sourcetype_thruput, series="sourcetype from inputs.conf"
Can you post the inputs.conf stanza for the /var/log/snmptrapd.log input and how you're searching for the /var/log/snmptrapd.log data in Splunk web.
Dave
... View more