Re: How can I check whether the data is being forw...

pratapa · ‎12-23-2019

How can I check whether the data from a server is being forwarded to indexer.

richgalloway · ‎12-23-2019

Search for the data. Look for it in the index specified in the inputs.conf file as well as in your Last Chance index ("main" or whatever you've designated), if you have one.

Another way is to look in the internal logs. Search index=_internal source=*metrics.log group=per_source_thruput and look for series field values that match your source names.

---
If this reply helps you, Karma would be appreciated.

pratapa · ‎12-31-2019

I am checking with the following search query whether the data is being forwarded to indexer from host1. But search query returned
No results found.

index=_internal source=*metrics.log group=per_source_thruput host=host1

How should I troubleshoot from here.

richgalloway · ‎12-31-2019

Look in the internal index for tcpin_connection events from host1. index=_internal source=*splunkd.log host=host1 tcpin_connection.

If you find nothing there then data is not being forwarded. Check the forwarder's splunkd.log ($SPLUNK_HOME/var/log/splunk/splunkd.log) for possible reasons. Check your firewalls.

---
If this reply helps you, Karma would be appreciated.

How can I check whether the data is being forwarded to indexer

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases