Solved: Heavy forwarder - Doesn't show/forward events

rahiparikh · ‎09-23-2011

Hi,

I installed a heavy forwarder on a box and, after a while, I found out that license was not working. ( By mistake, I forgot to change the license type to forwarder and instead ran it under enterprise trial license. )

Indexer name            server-name
License expiration      xxx x, xxxx 4:00:04 AM
Licensed daily volume   1 MB
Volume used today       0 MB (0% of quota)
Warning count           0

So, I contacted splunk and got the reset license and applied it. But, now after reboot I get the same message and my data doesn't show up in indexer. I am sure that they have an established connection because when I check for open ports they have a live connection.

Don't know what problem could be. Any idea? Thanks!

Simeon · ‎09-26-2011

It sounds like forwarding is not enabled or working. You should run the following search on the indexer to see if it has even connected:

index=_internal source=*metrics.log tcpin_connections | timechart count by sourceIp

If there are no events, then it is likely your forwarder is not configured properly. you should then examine your outputs.conf settings and inputs.conf settings.

View solution in original post

Simeon · ‎09-26-2011

It sounds like forwarding is not enabled or working. You should run the following search on the indexer to see if it has even connected:

index=_internal source=*metrics.log tcpin_connections | timechart count by sourceIp

If there are no events, then it is likely your forwarder is not configured properly. you should then examine your outputs.conf settings and inputs.conf settings.

Heavy forwarder - Doesn't show/forward events

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification