Getting Data In

running log on splunk heavy forwarder

trojan_81
Path Finder

I have a heavy forwarder onprem installed on a windows OS.

I am troubleshooting why logs are not coming into the splunk cloud indexer from a cloud service over API. The api is between my onprem splunk heavy forwarder and the cloud service. I suspect the problem is on the cloud service side. I need a way to tell if the logs are even making it to my heavy forwarder. Is there a way to tail a running log on the heavy forwarder?

Also I am referring to the onprem slunk server as a heavy forwarder. Is that the proper term? It sends data to the cloud indexer.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Look in \Program Files\Splunk\var\log\splunk\splunkd.log for errors connecting to Splunk Cloud. They'll probably be associated with the TcpOutputProc component. If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal (component=TcpOutputProc OR SSL).

Problems connecting to Splunk Cloud are usually on the on-prem side. Firewalls often block connections. Certificates may be missing or in the wrong location. The OS may not support the right version of SSL. The logs should offer suggestions about the cause in your case.

---
If this reply helps you, Karma would be appreciated.
0 Karma

trojan_81
Path Finder

Rich. Other apps are able to get logs into this Forwarder via REST API and the logs are searchable on splunk cloud indexer. That tells me that the Forwarder is probably ok. I just need a way to show proof so that I can go back to the vendor's app side.
Proof will be confirming that the logs are not making it to the Forwarder.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I still recommend checking firewalls at both ends. Verify the app has the right URI.

If the HF has its web server enabled (it is by default) then you can sign in and search for index=_internal component=TcpInputProc for errors or warnings about incoming connections.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...