Getting Data In

Why is Splunk No Longer Collecting ANY logs from any hosts?

handlin2014
New Member

SET UP: splunk v 6.6.4 running Windows 10;

STUFF I TRIED: Restarted VM, restarted splunk, restarted service on server.
Monitoring console shows license is good, disk usage at less than 50%,
Health Check: Nothing unexpected.
We only have ~28 devices.
We use a master-slave license issue. Unsure if the master instance may be running a different version (would that cause this?).
Some appliances have a firewall to traverse, others do not: Not getting any logs for anything, so I don't believe it is a firewall issue.

any guidance is appreciated.

0 Karma

pixartao
New Member

Same problem here,
I got logs working for a while and then stops indexing without reason, splunk keep receiving logs so the counter keep increase but last log received is stop to a couple of hours ago, depends when stops.

I just have 10 mikrotik devices, nothing else. I have the same problem on windows machine, linux and docker running on synology.
Checking with wireshark the logs are coming in correctly from the devices.

I don't know how to resolve, I reinstalled splunk so many times now!!

0 Karma

deepashri_123
Motivator

hey handlin2014,

What errors are you getting in internal logs?
Check index=_internal on the master for any errors.

0 Karma

ddrillic
Ultra Champion

The following can help - I can't find my data!

0 Karma

handlin2014
New Member

I appreciate it, but no, this isn't what my issue is.

0 Karma

klaxdal
Contributor

First thing I would check is- ensure your set up is allowing traffic on port 9997 - from the web console Settings >Forwarding and Receiving > Configure Receiving > Add port 9997

0 Karma

handlin2014
New Member

Thanks for the quick response...
Port 9997 is enabled under Fowarding and Receiving | Configure Receiving | 9997 = enabled.
All logs were coming in and then about 2 weeks ago, all logs from all devices just stopped.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...