Getting Data In

Troubleshoot - Linux Universal Forwarder is not forwarding all files

daddyoh
Explorer

We have a UF on RHEL that forwards some files fine but one that is not being forwarded. I recently added a file to forward and it is not being forwarded. We are using splunk light 6.4 and UF 6.4.

I can log into the splunk account for that UF and cat the file. I can see the contents of the file. This is also a file type that is being forwarded on other servers fine. I have restarted the UF several times but no records are being forwarded. The volume of records in the file is low. Yesterday when I added it there were maybe 200 records. Today, after rotation. there are two records.

The records look like:

[26-Jul-2016 08:35:56 America/New_York] PHP Notice:  Trying to get property of non-object in /WWW/repos/kp4/includes/kp4/php/Artemis/Slideshow/Instagram.php on line 70
[26-Jul-2016 08:35:56 America/New_York] PHP Notice:  Trying to get property of non-object in /WWW/repos/kp4/includes/kp4/php/Artemis/Slideshow/Instagram.php on line 79

I'm very new to splunk. We have 5 servers successfully forwarding records from 16 files and folders. We forward about 500MB of records a day.

How can I diagnose this problem? We added this file to splunk via the Data Input menu item on the search head. We run a single search, index, deployment server. Very simple set up.

Thanks in advance for your help.

0 Karma
1 Solution

ddrillic
Ultra Champion

ddrillic
Ultra Champion

The place to start is I can't find my data!

daddyoh
Explorer

@ddrillic

The site won't let me post an answer because I don't have enough reputation points yet.

Thanks for the link. That is the first place I went to.

I did get it to work:

I ran this on the splunk search instance

http://webserlog:8000/en-US/debug/refresh

and restarted the UF instance. The contents of the file is now showing up.

0 Karma

daddyoh
Explorer

I restarted splunk UF and looked at splunkd.log and could not see any references to the file in the log file. No progress.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...