I am new Splunk user. I configured the index server and set it up as a receiver. I then installed the light forwarder on another Windows box and configured it to forward to the index server. It appears to be connecting to the Splunk index, according to the splunkd logs on the index.
However, Splunk web does not seem to be indexing the forwarded server data. Under Apps--> Windows, only the original index server shows up under hosts. Shouldn't that show 2 now and have the forwarder listed under there as well? The manual doesn't really explain what to expect in these screens once forwarding is complete, but it doesn't show any content for the forwarded server. Here is the relevant info from the log files on splunk.
I see entries saying "Connecting in cooked mode from (server)." I also see entries saying "Connection accepted from (server)." The other entry I see that might be relevant is "Hostname=(server) closes connection.. ended without a done-key."
Thank you.
JF
... View more