Hi @AmyShah, if you're not receiving data from a Forwarder you have at first to check if you did all the configuration steps: put Indexer in receiving state [Settings -- Forwarding and Receiving -- Receive Data]; configure Forwarder to send data to that Indexers (https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents), with final restart of the Forwarder; be sure that the route between them is open (from Forwarder use telnet on the Indexer's 9997 port). If you did all the above configuration steps, you have to check, if you're receiving logs. At first check if you're receiving the Splunk internal logs: index=_internal host=<your_host> If yes, the problem is that you have to configure inputs (https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingapps) or there's a problem on them. If not, check again the connection. Ciao. Giuseppe
... View more