Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk universal forwarder not reporting data from SQL server

Koushik_Katta
Explorer
‎10-17-2017 07:36 AM

Hi everyone ,

We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its no reporting logs in splunk. Ours is clustered search head pool with 2 search heads , 5 indexers and 5 heavy forwarders . we have forward management console , which generally phone-in to the universal forwarders by pushing some of the apps . In Past i have some other VM's which i faced the same issue , i reinstalled the universal forwarder agent which fixed the issue , but currently its not happening with these SQL servers .

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2017 07:48 AM

Hi Koushik_Katta,
just a few stupid questions:

did you installed forwarders from scratch or did you cloned it from another installation?
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct.

have you Splunk internal log files from these forwarders?
if not the problem is connection betwen forwarders and indexers.
If yes check log policies on your SQL Server and then TA that you're using to take logs.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Koushik_Katta
Explorer
‎10-17-2017 07:59 AM

hi Cusello ,

did you installed forwarders from scratch or did you cloned it from another installation?
yes i did it from scratch , installed manually
in both the cases check if hostname in $SPLUNK_HOME/etc/system/local/server.conf and $SPLUNK_HOME/etc/system/local/inputs.conf is correct
host name is correct in both .conf's
have you Splunk internal log files from these forwarders?
yes
if not the problem is connection betwen forwarders and indexers.
this i'm not sure , i think there wouldn't be connection issues , its working for other agents

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...