Solved: Universal forwarder for Linux is not forwarding so...

Splunk_Ryan · ‎03-22-2021

On my Linux server the universal forwarder and Splunk_TA_nix are installed, at least df and cpu are enabled in inputs.conf.

vi /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
index = os
disabled = 0

[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
#interval = 30
interval = 300
index = os
disabled = 0

When I search for this Linux server on Splunk, I get df logs. But cpu logs are missing

Top 10 Values Count %
df 44 1.224%

Could anyone advise? much appreciated.

isoutamo · ‎03-22-2021

Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.

View solution in original post

isoutamo · ‎03-22-2021

Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.

Splunk_Ryan · ‎03-22-2021

Thanks soutamo,

The cpu.sh was not running on the Linux server either as splunk or as root. It turned out that the cpu.sh has a dependency on sysstat package which I had not installed.

It is running now after sysstat was installed.

Universal forwarder for Linux is not forwarding some types of sourcetypes

troubleshooting

Enterprise Security Content Update (ESCU) v3.54.0

Using Machine Learning for Hunting Security Threats

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...