1.Ran index=_internal host=
after running I can see thousands of events displayed in search head.

1a.Ran splunk list forward-server

No results for this query

2.Ran head /var/log/messages

I can see some lines after running this.

sourcetype is - cisco:ise:syslog bcoz cisco ise devices are configured to send data to syslog server.

1) did you fill in the host field with the name of the forwarder? And did you run this search from the search head?

1a) did you run splunk list forwarder-server on the forwarder?

2) did you run head /var/log/messages as the user that splunk is running as?

Hi,
Yes , I have installed HF in syslog server. Syslog server getting data from our wireless devices.
We want to index the data before it is reaching to indexer, I think we can't achieve this with UF.

Any suggestion to fix the issue.

Regards,
MC

Have you restarted the HF after you configured the .conf files? If yes, please check the logs under /opt/splunk/var/log/splunk/splunkd.log

or cat /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR

you need to see the information related your UF, if not its not configured properly.

I ran the command as suggested but I don't see anything related to HF.

Most of the errors are related failed authentication only.

Hi ,
Did you edit outputs.conf?

Hi,
I have made a suggested change in outpts.conf.

I can see below error in log file:

01-11-2018 16:45:09.765 +0530 INFO DatabaseDirectoryManager - idx=_internal Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/_internaldb/db', pendingBucketUpdates=0 . Reason=' frozen_buckets'
01-11-2018 17:39:52.393 +0530 INFO TcpOutputProc - Connection to X.X.X.X:9997 closed. Connection closed by server.
01-11-2018 17:40:12.423 +0530 WARN TcpOutputProc - Cooked connection to ip= X.X.X.X:9997 timed out
01-11-2018 17:40:20.274 +0530 INFO TcpOutputProc - Connected to idx= X.X.X.X:9997

No am not able to search data in HF.

how you are checking, show me the command

Am trying this command in forwarder.

sourcetype="cisco:ise:syslog"

Also in outputs.conf file :
[tcpout]
defaultGroup=group1
indexAndForward=true

Hi Mayurr98,
please let me know path where I can find the errors.

in which file I should add this index=_internal

am not sure about your last point.

login heavy forwarder and put index=_internal in search
OR else look the filepath
/opt/splunk/var/log/splunk/splunkd.log

I ran it in search and getting thousands of events.

I checked syslogd.log and below are the recent information from log.

01-11-2018 16:45:09.765 +0530 INFO DatabaseDirectoryManager - idx=_internal Writing a bucket manifest in hotWarmPath='/opt/splunk/var/lib/splunk/_internaldb/db', pendingBucketUpdates=0 . Reason=' frozen_buckets'
01-11-2018 17:39:52.393 +0530 INFO TcpOutputProc - Connection to X.X.X.X:9997 closed. Connection closed by server.
01-11-2018 17:40:12.423 +0530 WARN TcpOutputProc - Cooked connection to ip=40.221.2.184:9997 timed out
01-11-2018 17:40:20.274 +0530 INFO TcpOutputProc - Connected to idx=X.X.X.X:9997

search for ERROR information