Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not getting data from sample files on search head /forwarder to index cluster

greatdane
New Member
‎07-02-2018 09:55 AM

I am new to trying to set up a dev environment with 1 deployment server, 1 search head/forwarder 1 master cluster, 2 indexers within the cluster. I have taken data samples and placed them in directories on the search head ex. opt/splunk//hops/asalogs. I have configured the inputs.conf file to monitor for these to ingest and be sent towards the indexers in my outputs.conf file. My props.conf file has been created to do the parsing of the logs. Bear in mind the hops index mentioned in the stanzas is located on the cluster master

Inputs.conf

[monitor:///opt/splunk/HOPS/asalogs/*.log]
sourcetype=apps:hops:websphere
index=hops
disabled=false

[monitor:///opt/splunk/HOPS/jse/*.xml]
sourcetype=apps:hops:jse
index=hops
disabled=false

Outputs.conf

[indexAndForward]
index = false

[tcpout]
defaultGroup=indexcluster
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:indexcluster]
server=1.1.1.1:9997,1.1.1.2:9997
disabled = false

[tcpout-server://1.1.1.1:9997]

Props.conf

[apps:hops:jse]
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=32
SHOULD_LINEMERGE=true
disabled=false
TIME_PREFIX=\

[apps:hops:websphere]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
MAX_TIMESTAMP_LOOKAHEAD=32
disabled=false
TIME_PREFIX=[

By all indication from all the documentation that I have read is that it should be working, I am not getting a lot of support locally so I am having to go out to other splunk denizens for assistance.

Thanks!

0 Karma
Reply

pradeepkumarg
Influencer
‎07-02-2018 10:36 AM

You mentioned the index stanza is located on the master. I assume you created in an app under master-apps and did a bundle push. You can login to the indexer and go to settings -> indexes to see if the index is actually created on the indexer.

  1. Do you see partial data missing or all data?
  2. Do you see internal data from the forwarder host? index=_internal host=your_forwarder_host
0 Karma
Reply

greatdane
New Member
‎07-02-2018 10:57 AM

I tried and I have 0 amount of data searching all time running the query you provided.

0 Karma
Reply

pradeepkumarg
Influencer
‎07-02-2018 11:09 AM

so, that looks like the forwarder is unable to communicate to the indexers. Verify your outputs.conf and check for any errors in splunkd.log $SPLUNK_HOME/var/log/splunk/splunkd.log

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...