Hi to all, I configured a forwarder as following
In Splunk Server:
- in /opt/splunk/etc/deployment-apps I copyed the forwarder apps (fwd_common, fwd_jboss,..)
- in /opt/splunk/etc/deployment-apps/fwd_common/default/outputs.conf I inserted
[tcpout]
defaultGroup = ovdgroup
[tcpout:ovdgroup]
server = splunkserverIP:9997
autoLB = true
in /opt/splunk/splunk/etc/system/local/serverclass.conf I inserted
[serverClass:FWD_JBOSS]
whitelist.0 = monitoredserverhostname
[serverClass:FWD_COMMON]
whitelist.0 = monitoredserverhostname
I set the inputs.conf files in order to analyze log files.
In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed.
The indexes that should be populated by jboss log files are empty.
Wich checks can I perform in order to understand why indexes are empty?
Thanks,
Andrea
If I search for index=internal the only host present is the spkunk server, so I think clients aren't sending data.
But In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed, so where the bug is?
hello there,
try this article:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata
also, did you set your app to restart splunkd? enable restart configuration, might be needed when adding inputs.
good way to check is to search index =_intrenal host=yourhost
if theres data, it means the inputs did not apply
if there is not, check also outputs
hope it helps
I tried following search
index =_internal clientip=10.95.1.119
All results are like
16/06/17 10.21.08,858
10.95.1.119 - - [16/Jun/2017:10:21:08.858 -0400] "POST /services/broker/phonehome/connection_10.95.1.119_8089_10.95.1.119_hostname HTTP/1.1" 200 1126 - - - 1ms
host = splunk-server.novalocal source = /opt/splunk/splunk/var/log/splunk/splunkd_access.log sourcetype = splunkd_access
I think the only activity is the "phonehome/connection" but not log file forward.
Have I failed to install forwarder? I've read http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata but it's seems to be ok.
Thanks
does you host sends data to splunk?
index=_internal host=yourUniqueHost
can you look at the host file structure?
go to splunkforwarder/etc/apps/ and make sure you see the apps you are trying to deploy
hope it helps
look here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Updating/Useserverclass.conf
your severclass.conf is off.
will recommend to start with the GUI by creating a serverclass, adding clients and adding apps
then go to back-end and look at the serverclass.conf that splunk created.
the logic can be sometimes a little confusing