How can I check whether the data from a server is being forwarded to indexer.
Search for the data. Look for it in the index specified in the inputs.conf file as well as in your Last Chance index ("main" or whatever you've designated), if you have one.
Another way is to look in the internal logs. Search index=_internal source=*metrics.log group=per_source_thruput
and look for series
field values that match your source names.
I am checking with the following search query whether the data is being forwarded to indexer from host1. But search query returned
No results found.
index=_internal source=*metrics.log group=per_source_thruput host=host1
How should I troubleshoot from here.
Look in the internal index for tcpin_connection events from host1. index=_internal source=*splunkd.log host=host1 tcpin_connection
.
If you find nothing there then data is not being forwarded. Check the forwarder's splunkd.log ($SPLUNK_HOME/var/log/splunk/splunkd.log) for possible reasons. Check your firewalls.