Hello,
We installed universal forwarders on a few HP-UX systems and they seem to connect to the splunk indexers fine but we can't find any data coming from these hosts when we go search for them. (The hostname doesn't even show up in the search app)
I say they seem to connect fine because I can see the universal forwarder getting listed under 'All Forwarders' tab of the Deployment Monitor app. Also, the forwarder log file logged successful conncetion to idx (TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:9997)
What might be cauing the data from these HP-UX hosts not show up in Splunk?
Thanks a lot
If you are using the UNIX app, the data will be going into index=os Try this search
index=* | stats count by host sourcetype source