How to see the logs of the second forwarders logs?...

aatik5u · ‎04-14-2022

Hello there,

I am working on VMware, I have two linux machines that I'm using as universal forwarders (ubuntu desktop and a linux server that are configured in the exact same way as forwarders). I have another linux machine that I'm using as an indexer.

The thing is that one of my forwarders (linux server) is forwarding correctly to the indexer, and i can see all the information i need in the index main. BUT the second forwarder logs are nowhere to be found. Although I can see the 2nd universal forwarder when I type index=_internal in the search bar but this index doesn't show any logs.

Can someone help me please so I can see the logs of the second forwarders logs?

Have a great day everyone!

Abir

gcusello · ‎04-14-2022

Hi @aatik5u,

if you can see both the forwarders, this means that the connection is correctly established.

The problem could be at input level: how do you configured inputs on Forwarders?

did you used a TA (e.g. TA_Linux) or what else?

You can sse this in the $SPLUNK_HOME/etc/apps folder of Forwarders: there are some common apps installed by Splunk and some apps installed to take logs e.g. TA_Linux (https://splunkbase.splunk.com/app/833/).

Ciao.

Giuseppe

How to see the logs of the second forwarders logs? (Using two forwarders and one indexer)

host

inputs.conf

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!