Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder

slopresto
New Member
‎05-30-2011 08:56 AM

I have multiple LAMP servers that I am looking to monitor with Splunk. I got my server setup last Friday and setup the Universal forwarder on a couple of VM's that i am using for testing. The problem is that these hosts do not show up on my server.

I am running the configs from the *nix module on my forwarder test systems and was expecting them to show up when I was viewing the os index. Unfortunately, I only see a single host.

I have verified that the forwarder is connecting to the server. A quick view of tcpdump output shows that information is being sent, but I am not sure what the server is doing with it; as the UI only shows the index server host and no others.

Am I missing something basic here?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-30-2011 09:06 AM

Usually, host= is set to FQDN in the [defaults] stanza of $SPLUNK_HOME/etc/system/local/inputs.conf. If this value is set incorrectly, Splunk could be assigning the wrong host value for your data.

This is an instance where btool can help. On your forwarders, run this command:

splunk cmd btool --debug inputs list

And look for your various inputs and see what host= is set to for them.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...