Splunk Enterprise

forwarder is not always forwarding all the logs

dirkckau
New Member

Hi,

We are using Splunk 6.2.3 and everything are working fine before.

In our new project, we have some additional log files in one directory.

Our issue is that not all the target logs in that directory are forwarding to the indexer.
e.g. There are 20 log files, sometimes it can monitor only 15 log files, sometimes it can monitor only 16 log files after a restart, and sometimes all the 20 log files can be monitored after a restart.

From the splunkd log in the forwarder server, we couldn't find any errors in forwarding. Like the case only 15 log files are forwarding, the splunkd log is expected and saying that only 15 files are monitoring.

Does anyone have some similar experiences?

Regards,
Dirk

Tags (1)
0 Karma

dirkckau
New Member

Hi,

Do you know the capacity of a single forwarder?
We are wondering if the forward capacity is reached, as our logs are not small and there is only a single forwarder process in each server.

There are no indexer queue blockages.
The log roll over everyday.

Below with the input conf.

##monitor:///home/tibco/ida/logs/ida*.log]
##index = main
##sourcetype = rrob
##disabled = false

[monitor:///home/tibco/ida/logs/ida*trace.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*access.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*java.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*jsvc.log]
index = main
sourcetype = rrob
disabled = false

[monitor:///home/tibco/ida/logs/ida*tracking.log]
index = main
sourcetype = rrob
disabled = false

Thanks and Regards,
Dirk

0 Karma

mwdbhyat
Builder

Hi,

Are there any indexer queue blockages? How often do the log files roll ? Can you send an example of what your inputs.conf looks like?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...