Re: Can´t get any logfiles into splunk enterprise

cschmit1 · ‎10-09-2015

I followed the the whole documentation but I got one problem. I didn´t get any log files in my splunk indexer. I built a test environment with two Windows Server 2008 R2:

Server A (Monitored client with the splunk forwarder IP 172.28.28.27)

Windows Server B (runs Splunk enterprise with indexer, deployment server (sendtoindexer app, splunk Add-on for Windows) IP 172.28.28.28)
But I didn´t get any logfiles. My setup looks like this:

The configured forwarder
http://www0.xup.in/exec/ximg.php?fid=10607561

the sendtoindexer app
http://www0.xup.in/exec/ximg.php?fid=41677695

the windows app
http://www0.xup.in/exec/ximg.php?fid=20050979

The Forward Management on splunk enterprise
http://www0.xup.in/exec/ximg.php?fid=16913503
http://www0.xup.in/exec/ximg.php?fid=34496890
http://www0.xup.in/exec/ximg.php?fid=16003466

My searchhed shows always: Waiting for input.
Can anyone help me?
Thanks a lot

cschmit1 · ‎10-13-2015

This is my splunkd.log
10-09-2015 10:49:47.582 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690
10-09-2015 10:49:47.582 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690
10-09-2015 10:50:47.595 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690

malmoore · ‎10-13-2015

This is on the forwarders or the indexer?

cschmit1 · ‎10-14-2015

on the forwarder

mikelanghorst · ‎10-12-2015

Asking the most basic question: Did you actually configure inputs?

Edit: The Splunk_TA_windows inputs aren't actually enabled when you download them from SplunkBase.

cschmit1 · ‎10-12-2015

yes 😃 I changed the values from 1 to 0

malmoore · ‎10-09-2015

Hi cschmit1,

Looks like your setup is correct…so this seems like a connectivity issue. Possibly Windows Firewall.

Check splunkd.log on the forwarder. Does it attempt to connect to the indexer at 172.28.28.28?

Add the telnet capability to your forwarder and attempt to connect to the instance that way:

telnet 172.28.28.28 9997

If that works, then we can troubleshoot what is going on with the forwarder.

cschmit1 · ‎10-12-2015

telnet on this port didn´t work neiter.
Both windows firewalls were deactivated.
netstat -an shows Local Adress 172.28.28.28:9997 | Foreign Adress 172.28.28.27:61024 | Established

malmoore · ‎10-12-2015

Ok, so did telnet fail with a connection refused or a connection timed out ? If the former, that might be expected because communication has already occurred on those ports, though I do believe that multiple inbound connections are acceptable. If it's a timeout, then some sort of network barrier or break exists between your forwarder and your indexer.

It looks like your forwarder did make a connection to the indexer, so we need to see why it's not sending the data. Let's take a look at splunkd.log on the forwarder and see what the connection conversation looks like. You'd be looking for attempts from the forwarder to hit the indexer. If you don't mind, you can paste that conversation here.

cschmit1 · ‎10-12-2015

wehere can I find the splunkd.log on the forwareder?

malmoore · ‎10-13-2015

They are in C:\Program Files\SplunkUniversalForwarder\var\log\splunk.

Can´t get any logfiles into splunk enterprise

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!