Re: Why isn't my Universal Forwarder data making i...

fisk12 · ‎05-19-2011

I have tried to set up a universialforwarder (first time from cli) and have it monitor some log files (/var/log/dhcpd.log for example)
The packets is being send and recived (checked with tcpdump on both end) but the host in not showing up in the splunk server. What kind of stuff should i start to check on the forwarder/server?

RubenOlsen · ‎02-27-2012

At a customer site I'm serving, 9 out of 10 problems with "missing data" is a mismatch between what is stated in the inputs.conf on the UF side and what is configured on the indexer side (i.e. the index you have in inputs.conf stanzas must also be present (and correctly configured) on the indexer side).

A quick way to determine if data is entering your indexes, is to check Manager -> Indexes. Locate your index and check the Earliest / Latest Event columns.

Depending on how your access controls with regards to accessing your indexes are configures, you might need to specify index= in the search field.

jbsplunk · ‎05-19-2011

I would suggest that you look in splunkd.log under the $SPLUNK_HOME/var/log/splunk/ for messages that contain the ip address of the forwarder/indexer, depending on which place you are looking. That should give you some indication as to what is happening with your connection, and if it is successful.

Why isn't my Universal Forwarder data making it into the Indexer?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk