Solved: Universal forwarder for Linux is not forwarding so...

Splunk_Ryan · ‎03-22-2021

On my Linux server the universal forwarder and Splunk_TA_nix are installed, at least df and cpu are enabled in inputs.conf.

vi /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
index = os
disabled = 0

[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
#interval = 30
interval = 300
index = os
disabled = 0

When I search for this Linux server on Splunk, I get df logs. But cpu logs are missing

Top 10 Values Count %
df 44 1.224%

Could anyone advise? much appreciated.

isoutamo · ‎03-22-2021

Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.

View solution in original post

isoutamo · ‎03-22-2021

Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.

Splunk_Ryan · ‎03-22-2021

Thanks soutamo,

The cpu.sh was not running on the Linux server either as splunk or as root. It turned out that the cpu.sh has a dependency on sysstat package which I had not installed.

It is running now after sysstat was installed.

Universal forwarder for Linux is not forwarding some types of sourcetypes

troubleshooting

Observability Highlights | November 2022 Newsletter

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

Using Machine Learning for Hunting Security Threats