Getting Data In

Weird issue - forwarder app works on one server, but not another

msarro
Builder

Hey everyone. I have written a simple forwarding app which monitors 2 directories. I have this app deployed on 2 servers currently, and everything works fine. All of the servers are built exactly the same, running the same vendor's software.

I tried installing it on a third server. The directories seem to be ignored. I checked with btool, everything is in inputs as it should be. It just isn't sending data. I have verified that there is data for it to send in the correct locations too. It just seems like splunk isn't forwarding that data. Is there any way to check possible reasons that it may not be forwarding? Or are there any things to look for?

Here is the content of inputs.conf:

[monitor:///var/broadworks/billing/*/*.csv]
index=XS
sourcetype=XS_CDR

[monitor:///var/broadworks/logs/appserver/XSLog*.txt]
index=XSSIP
sourcetype = XSSIPLOG

Like I said, i am at a loss right now. These servers were all built using the same imaging system, so it shouldn't be a problem with permissions.

Tags (1)
0 Karma

aholzer
Motivator

Check to make sure you've configured your outputs.conf on the forwarder.

Also look at your splunkd.log for error messages, on both the forwarder and the indexer. It may be that you are actually sending data to the indexer, but your indexer isn't configured to deal with it yet. In which case you may want to confirm that the props.conf is properly configured.

Hope this helps.

0 Karma

Ayn
Legend

Permissions issues? Generally it's always a good idea to use amrit's excellent script for checking the status of monitor inputs: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...