Getting Data In

Using indexer discovery, how to check if a forwarder has forwarded a file to the indexer cluster?

Path Finder

- After uploading file to forwarder monitoring directory, we cannot search it on search head.
- 1 search head --> 1 indexer cluster {1 master + 3 indexers} <-- 1 universal forwarder
- enable "Forward master node data to the indexer layer":
- configure "Use indexer discovery to connect forwarders to peer nodes":

splunkd.log on Forwarder:

11-24-2016 11:07:24.347 +0800 INFO TcpOutputProc - Closing stream for idx=
11-24-2016 11:07:24.348 +0800 INFO TcpOutputProc - Connected to idx= using ACK.
11-24-2016 11:07:38.544 +0800 INFO TailReader - Archive file='/data/' updated less than 10000ms ago, will not read it until it stops changing. File size=0
11-24-2016 11:07:48.598 +0800 INFO TailReader - Archive file='/data/' has stopped changing, will read it now.
11-24-2016 11:07:48.598 +0800 INFO ArchiveProcessor - Handling file=/data/
11-24-2016 11:07:48.598 +0800 INFO ArchiveProcessor - new tailer already processed path=/data/
11-24-2016 11:07:54.207 +0800 INFO TcpOutputProc - Closing stream for idx=

11-24-2016 11:07:54.207 +0800 INFO TcpOutputProc - Connected to idx= using ACK.

1. the forwarder has already handled the file. How can we check if it successfully forwards it to the indexer cluster?
2. the forwarder is continuing to change the connected indexers. Is it normal or an issue of the communication between the forwarder and indexers?

Thank you very much for helps.

0 Karma


The forwarder will continue to change the connected indexer. That is called "auto load balancing" and it is the desired behavior. It is also the default.

If you want to know if the file has arrived on the indexer, you only need to search for it:

index=* source="/data/"

If the file does not appear when you search, check to see what index was used in the inputs.conf on the forwarder. Make sure that index exists on the indexers and that you have permission to read it.

0 Karma

Path Finder

Thanks for the reply. Glad to know that changing connected indexer is a normal behavior, so it's easy to troubleshoot this issue. We tried other file and run the search * source="/data/". IT WORKS. Therefore we think it is the issue about the file.

Actually, when we create the indexers in the cluster, we clone a previous distrubuted index where we had forwarded the Although we remove all the database on the new indexer, will it save the hash or something else to mark the file forwarded? When we forward again, the indexer will ignore it by checking the hash?

If it is, how can we clean the hash records to make the new indexer working for a duplicate file?

Thank you very much.


0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!