I followed the steps mentioned on below link to send internal logs from SH to indexer.
http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Forwardsearchheaddata
Now I am looking for a way to check and validate that I am receiving internal logs from SH to my indexer. How do I do that?
Have a look to this url and review your config according to that:
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata
Hope this helps you
I used that URL to start forwarding internal logs. Now I want to validate the logs are coming to indexer.
Ahh, ok, I thought you were wrong with Splunk version or so ...
The logs are not coming to your indexer, but are they still accesible in your SH? Have you read them if they show you some kind of problem/error?
Have you checked communication in port 9997 between SH and indexers?
Regards.
Hi varad_joshi,
did you tried
index=_internal host=SH_hostename
?
Bye.
Giuseppe
Yup. I dont see SH mentioned in the host field. I should have mentioned that in my question.
Jinx!
@cusello - E una cosa Americana di dirlo quando diciamo la stessa cosa allo stesso tempo. 🙂 🙂 Auguri!
OK thanks!
Bye.
Giuseppe
This should do it:
index=_internal host=searchheadhostname
If there are events returned, it should be working.
I dont see SH mentioned in the host field. I should have mentioned that in my question. So events are not being moved to indexer. Right?
Sounds like that is correct.
Be sure you are forwarding your events to the indexers. You can do it in the GUI, too. If you don't set it up to forward, then they will stay on the SH. It's like you would do on an HF.
I think I finally understand what you need.
If you look at the field splunk_server
on the data from the search that cusello and I answered with, that will tell you which host the data was indexed on. If the field has your indexer, then it is working. If it is the search head, then it is not.
Hopefully I understood your dilemma correctly.