Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About thomas_bengtsen
thomas_bengtsen
New Member
Member since:
10-28-2011
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-28-2011 |
Activity Feed
- Posted Re: Missing Source data from Forwarder on Getting Data In. 11-01-2011 03:06 PM
- Posted Re: Missing Source data from Forwarder on Getting Data In. 10-28-2011 09:16 AM
- Posted Re: Missing Source data from Forwarder on Getting Data In. 10-28-2011 08:14 AM
- Posted Re: Missing Source data from Forwarder on Getting Data In. 10-28-2011 08:13 AM
- Posted Re: Missing Source data from Forwarder on Getting Data In. 10-28-2011 08:08 AM
- Posted Missing Source data from Forwarder on Getting Data In. 10-28-2011 06:15 AM
- Tagged Missing Source data from Forwarder on Getting Data In. 10-28-2011 06:15 AM
- Tagged Missing Source data from Forwarder on Getting Data In. 10-28-2011 06:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-28-2011
09:16 AM
Thanks for the suggestion but still no change.
I think it it something simpler - remember I am new to this.
When I check the Summery screen the only Source that show up is the source I added via the GUI on the Indexer itself - app1.
There are other indexes apart from app1 and app2 from splunks own files and they don't show up either. It seems to me just a question of adding this data which already exists in indexes to the searchable view.
Thanks
... View more
10-28-2011
08:13 AM
Indexer:
No outputs.conf
inputs.conf
[splunktcp://9997]
[monitor:///com/logs/grp/app1.log]
disabled = false
followTail = 0
index = app1
indexes.conf
[app2]
coldPath = $SPLUNK_DB/app2/colddb
homePath = $SPLUNK_DB/app2/db
thawedPath = $SPLUNK_DB/app2/thaweddb
disabled = 0
[app1]
coldPath = $SPLUNK_DB/app1/colddb
homePath = $SPLUNK_DB/app1/db
thawedPath = $SPLUNK_DB/app1/thaweddb
... View more
10-28-2011
08:08 AM
Forwarder:
outputs.conf
[tcpout]
defaultGroup = indexer1
heartbeatFrequency=10
Defect 396475
maxQueueSize=10000
[tcpout:indexer1]
server=192.168.53.6:9997
inputs.conf
host = TEST01A
[splunktcp://9997]
[monitor:///com/logs/grp/app2.log]
disabled = false
followTail = 0
index = app2
splunk list monitor -auth admin:*****
Monitored Directories:
$SPLUNK_HOME/var/log/splunk
...lines removed
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
$SPLUNK_HOME/var/log/splunk/splunkd.log
$SPLUNK_HOME/var/spool/splunk
/com/logs/grp/app2.log
... View more
10-28-2011
06:15 AM
Hi Group,
I am new to the Splunk thing so bear with me.
I have installed an indexer, configured it to look at some local log files and that seems to work ok. I have also installed a forwarder on another machine and configure it to monitor a file and connect to the Indexer. As far as I can tell the file is being monitored and the data is sent to the Indexer and being indexed – at least I can see the index having count and size_bytes if I look under “Status –> Index activity -> Index activity overview”.
The problem is that if I look on the search page I can only see one source – namely the local file. My searches do not show any entries form the file on the indexer. Additionally – and this I find very strange – if under “Status –> Index activity -> Index activity overview” I drill down into the index for the remote server it shows me the entries from the local file on the indexer.
(Splunk 4.2 on Solaris 10 X86)
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
