All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unix Forwarder Not Showing In Deployment Monitor

AaronMoorcroft
Communicator
‎04-24-2013 08:26 AM

Hi Guys

I work in a huge enviroment and one of the Unix guys has installed a forwarder on there Unix box, I'm assuured that the installation was succesful and I have to take that as gospel at the moment, my question is should I expect to see a Unix forwarder in the Deployment manager app ?

Is there a serch and can put into Splunk to find the Unix forwarder ? the funny thing is Im able to search the host name of where this forwarder has been installed and logs are found but there found from a while back up until now, the forwarder was only installed a few hours ago so Splunk is getting this information from somewhere else by the look of it.

Any Ideas ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎04-24-2013 12:11 PM

Hi Aaron,

Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:

index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host

Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.

Thanks,

Michael

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎04-24-2013 12:11 PM

Hi Aaron,

Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:

index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host

Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.

Thanks,

Michael

0 Karma
Reply
Solved! Jump to solution

matt
Splunk Employee
Splunk Employee
‎04-24-2013 09:00 AM

If the forwarder was configured to index /var/log/messages/ then it probably just indexed the archived log files.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...