Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Broken Hosts

ssingh5
Path Finder
‎12-22-2011 01:47 AM

How do i identfy & troubelshoot windows hosts which have not forwared any log to splunk within last 2 weeks ?

Tags (2)
0 Karma
Reply

Drainy
Champion
‎12-22-2011 02:28 AM

I am going to make an assumption that you are using the Universal Forwarder. If so there is a log called Splunkd.log inside Splunk/var/log/splunk/ which lists all the actions in the background.

Inside here it will list any connection problems it has had with regards to forwarding to indexers, it will also list if there are any files that it hasn't noticed any changes to and so hasn't forwarded (can always be a possibility).

If you use the deployment monitor app on the indexer it also has tools to allow you to identify forwarders that have sent less than average events or more than average.

Finally there is an app called SoS which you can install on the indexer which gives you greater visibility into what is happening on splunk with custom designed dashboards to summarize errors, warnings and potential problems.

If you find any specific errors then please feel free to update your answer and we can try some more advanced troubleshooting techniques if they aren't obvious

EDIT:
To change to the free license on an indexer or full version of Splunk follow these steps;
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree#Switching_to_Free_from_...

And have a look here for some information on what the Universal Forwarder is;
http://docs.splunk.com/Documentation/Splunk/4.2.5/Deploy/Introducingtheuniversalforwarder

0 Karma
Reply

Drainy
Champion
‎12-22-2011 03:18 AM

Have you installed a Splunk indexer (the full Splunk) on each host and set it to forward to the main indexer? If so you will need to log onto the web gui and switch it to a free license. Splunk comes with a free trial license but after 60 or 90 days (Can't recall which) you have to change it to a free license, I'll update my answer with how to do this. Otherwise and to make life easier, you could install Universal Forwarders on the remote hosts

0 Karma
Reply

ssingh5
Path Finder
‎12-22-2011 03:14 AM

Thank you Draineh for this information, i have loged on to the host who has not sent any log from more then 2 weeks and checked the Splunkd logs and found the heug amount of errors which says "your license has expired. Log in as an Admin user to install a new license or switch to Splunk with a Free License".

Any suggestions on this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...