Hi,
I have a universal forwarder setup on a Linux x64 machine, with monitor setup from CLI to load a whole folder full of log files. I dono receive data events at the receiver from the log files, some of the files are reported as binary files, but even the others are not showing up. It is a trial license and I have 0 license violations, I could see the forwarder as active in the deployment monitor. I have tried cleaning the indexes and bouncing the Splunk instances on both machines, no help. We need to decide soon if we cant to stick with splunk, only if we can get this one working in the first place..
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = alert.example.com_9997
[tcpout:alert.example.com_9997]
server = alert.example.com:9997
[tcpout-server://alert.example.com:9997]
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
At receiver:
/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
index = oamaudit
I have a index created as oamaudit. Am I missing anything ?
The index
configuration parameter doesn't exist for the splunktcp
input - the value for index
is set when the Universal Forwarder picks up data, so that's where you should make changes if you want a monitor input to go to another index than the default.
Thanks everyone, I think I have fixed the issue. Splunk didnot read the events because, the timestamp on the audit data was messed up and after a long try , it displayed the whole file as one event. I changed the timestamp format in the core application and it all works now. I am receiving every line as a event now. Thanks for all the support.
Thanks for the replies, the data is not received at all, I removed the index value from the indexer and the forwarder, to let it go to the default index, still nothing, I am able to connect to the indexer from the forwarder without problem. Even the log in the forwarder says connected to my indexer IP address. I am running out of options to look at.
Currently your data should go to the main default index.
to change this modify the inputs on the forwarder
[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
index = oamaudit
If no data is received at all, check the network, firewall (a simple telnet alert.example.com 9997 from the forwarder should tell you)