Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal forwarder stopped suddenly. but not fetching the data where it got stopped after restart

82padarthi
Explorer
‎01-06-2015 08:03 PM

hi..

in one of my windows server the universal forwarder stopped unexpected. found and restarted the universal forwarder after a day, but the universal forwarder sending the logs from the universal forwarder start time, what about my previous logs i mean 1 day logs
should i have to configure any attribute to get this done

anyone please suggest

Many Thanks

Tags (1)
0 Karma
Reply

LightSQR
New Member
‎02-01-2017 11:19 AM

I'm getting the same problem. Splunk Universal Forwarder on Linux, accessing file data. When the forwarder stops working, we restart the forwarder and it ingests data again, but not for that entire gap that it was down.

0 Karma
Reply

LightSQR
New Member
‎02-01-2017 02:00 PM

Aha - Found it in apps/search:

-bash-3.2$ more inputs.conf
[monitor:///logs/remote/.../*.log]
disabled = false
index = issec
sourcetype = syslog

0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2017 02:17 PM

Great. Either comment the entry (put # in front of each line) OR set disabled = true. Restart Splunk forwarder after making the change and it should be sending data for this log file to indexers anymore.

0 Karma
Reply

LightSQR
New Member
‎02-01-2017 01:45 PM

No, here is the entire contents of the inputs.conf:

-bash-3.2$ more inputs.conf
[default]
host = tuslplog01

0 Karma
Reply

LightSQR
New Member
‎02-01-2017 01:58 PM

It's weird... This is a syslog server, but the data is file based, but I can't see where the inputs are defined...

0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2017 02:03 PM

Run below command and see what all different inputs.conf you have. (assuming UF is installed /opt/splunkforwarder directory, update if it's different)

/opt/splunkforwarder/bin/splunk cmd btool inputs list --debug
0 Karma
Reply

ddrillic
Ultra Champion
‎02-01-2017 01:22 PM

You don't use ignoreOlderThan in your inputs stanza, right?

Reply

somesoni2
Revered Legend
‎02-01-2017 01:34 PM

Good point.

0 Karma
Reply

somesoni2
Revered Legend
‎02-01-2017 11:40 AM

What type of logs are showing gaps, file monitoring, scripted inputs etc?? If it's file monitoring, then check, when the forwarder started working again, if the log files did contain the data which is not been shown. If the files are rolled over, they may not get monitored. If it's a scripted, scheduled inputs, they there won't be any backfill and it'll show the gaps.

0 Karma
Reply

gfuente
Motivator
‎01-07-2015 02:50 AM

Hello

By default the UF should continue where it left before stopping. This is the default behaviour, nothing to configure to get this.

What kind of inputs are you using? Is the missing data persisted on the server, so UF can read it? Maybe it has been rolled before the restart of the UF...

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...