We are receiving _internal logs from universal for...

saisrujan28 · ‎01-29-2018

Universal forwarder sending data _internal logs and we are receiving those logs and appeared on search heads.

But we deployed an add-on on the same universal forwarder. But we are not receiving data from the index which is present in the add-on. We created index on indexers.we are receiving data to this index from other UF's.
After deploying add-on we restarted UF

Example: index=_internal host=abc (we are getting splunkd logs)

index= test1 host=abc (we are not able see any logs)

can any one explain why this happens??

micahkemp · ‎02-07-2018

Which addon did you deploy? Does this addon set the host value based on the event payload? Did you enable the inputs?

You may want to start by including your inputs.conf from the forwarder to enable additional help.

ansif · ‎02-07-2018

Dont you see any clue from Indexer and UF _internal logs.Just search for this indexname as keyword.

somesoni2 · ‎01-29-2018

Obviously something is not configured properly for your non-internal data monitoring. I would suggest going through this post for troubleshooting steps.
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Cantfinddata

saisrujan28 · ‎01-29-2018

we have checked diag file from universal forwarder everything configured properly

We are receiving _internal logs from universal forwarders but we are not receiving data from indexes which are created externally???

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?