Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder

slopresto
New Member
‎05-30-2011 08:56 AM

I have multiple LAMP servers that I am looking to monitor with Splunk. I got my server setup last Friday and setup the Universal forwarder on a couple of VM's that i am using for testing. The problem is that these hosts do not show up on my server.

I am running the configs from the *nix module on my forwarder test systems and was expecting them to show up when I was viewing the os index. Unfortunately, I only see a single host.

I have verified that the forwarder is connecting to the server. A quick view of tcpdump output shows that information is being sent, but I am not sure what the server is doing with it; as the UI only shows the index server host and no others.

Am I missing something basic here?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-30-2011 09:06 AM

Usually, host= is set to FQDN in the [defaults] stanza of $SPLUNK_HOME/etc/system/local/inputs.conf. If this value is set incorrectly, Splunk could be assigning the wrong host value for your data.

This is an instance where btool can help. On your forwarders, run this command:

splunk cmd btool --debug inputs list

And look for your various inputs and see what host= is set to for them.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...