- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal uploader not sending data events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal uploader not sending data events
Hi,
I have a universal forwarder setup on a Linux x64 machine, with monitor setup from CLI to load a whole folder full of log files. I dono receive data events at the receiver from the log files, some of the files are reported as binary files, but even the others are not showing up. It is a trial license and I have 0 license violations, I could see the forwarder as active in the deployment monitor. I have tried cleaning the indexes and bouncing the Splunk instances on both machines, no help. We need to decide soon if we cant to stick with splunk, only if we can get this one working in the first place..
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = alert.example.com_9997
[tcpout:alert.example.com_9997]
server = alert.example.com:9997
[tcpout-server://alert.example.com:9997]
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
At receiver:
/opt/splunk/etc/apps/search/local/inputs.conf
[splunktcp://9997]
index = oamaudit
I have a index created as oamaudit. Am I missing anything ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The index configuration parameter doesn't exist for the splunktcp input - the value for index is set when the Universal Forwarder picks up data, so that's where you should make changes if you want a monitor input to go to another index than the default.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone, I think I have fixed the issue. Splunk didnot read the events because, the timestamp on the audit data was messed up and after a long try , it displayed the whole file as one event. I changed the timestamp format in the core application and it all works now. I am receiving every line as a event now. Thanks for all the support.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the replies, the data is not received at all, I removed the index value from the indexer and the forwarder, to let it go to the default index, still nothing, I am able to connect to the indexer from the forwarder without problem. Even the log in the forwarder says connected to my indexer IP address. I am running out of options to look at.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently your data should go to the main default index.
to change this modify the inputs on the forwarder
[monitor:///opt/auditLogs]
disabled = false
sourcetype = OAM10gAudit
index = oamaudit
If no data is received at all, check the network, firewall (a simple telnet alert.example.com 9997 from the forwarder should tell you)
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
