Refine your search:

I've set up a forwarder but I'm not receving any events on the splunk indexer.

1
1

I've verified that the indexer (receiver) is the same or later version of Splunk as the forwarder. What log or configuration files can I look at to troubleshoot this problem?

asked 19 Feb '10, 21:07

Jaci's gravatar image

Jaci ♦
8722217
accept rate: 75%

6 Answers:
oldestnewestmost voted
1

You can do the command "splunk list forward-server" to see if the forward-server is active on the forwarder. If it's inactive, it usually means you have not enabled the receiver to receive forwarded data.

Go to the receiver and then browse to the "Manager > Forwarding and receiving > under receive data select Receive data from forwarder. The port specified here should be the same port the forwarders are configured to send data. So if you're receiver is set to receive forwarded data to port 8889, then you should have this listed when you do the "splunk list forward-server" command:

splunkserver:8889

link

answered 13 Mar '10, 18:49

BunnyHop's gravatar image

BunnyHop
7254424
accept rate: 25%

0

On the forwarder check: sysinfo.txt (verify general system info) outputs.conf (verify settings) metrics.log (search for tcpout_connections, destport=xxxx) splunkd.log (search for Error and WARN "failed to make connections")

Configuration/log files to check on indexer: inputs.conf (search for splunktcp:\xxxx) metrics.log (search for data coming from forwarder) splunkd.log (search for Error, tcpin_connections (look for forwarder hostname/IP))

Also, you can try running a search on the indexer to see if data came in from the forwarder.

link

answered 19 Feb '10, 21:47

Jaci's gravatar image

Jaci ♦
8722217
accept rate: 75%

2

I would begin by confirming basic connectivity. I will assume we are on linux and using the default forwarding port of 9997 (no ssl):

Look for your receiving port to be open on the indexer:

> netstat -an | grep 9997

**This should return an active TCP listener on 9997

Look for your receiving port to be connected to from the forwarder:

> netstat -an | grep 9997

**This should return an active TCP connection TO port 9997 on your indexer

If neither of the above are operational, then fowarding will not work. You should review if you have properly configured receiving and forwarding. Note that you may need to restart to enable forwarding.

Next, you should run a search to find the forwarder connection on the indexer:

index=_internal source=*metrics.log tcpin_connections

You should see an event very similar to below with your forwarder IP address:

04-23-2010 23:00:36.887 INFO Metrics - group=tcpin_connections, 192.1.168.10:36924:9997, connectionType=cooked, sourcePort=36924, sourceHost=forwarder.splunk.com, sourceIp=10.8.240.201, destPort=9997, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=2.08, _tcp_Kprocessed=10078.00, _tcp_eps=0.00

If you see positive values for tcp_Kprocessed, that means your forwarder is connected and has transferred data. If you do not see the above event in your metrics.log file (_internal index), you should then refer to the splunkd.log on your indexer and forwarder. Splunk will log an entry in the splunkd.log file when a forwarder has connected.

link

answered 23 Apr '10, 23:06

Simeon's gravatar image

Simeon ♦
3.7k5628
accept rate: 26%

1

Here's a starting point: http://www.splunk.com/wiki/Community:TroubleshootingForwarding

link

answered 14 Mar '10, 04:21

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

0

splunkd.log would be a good start; please check it on the forwarder first, then indexer; look for ERROR lines.

Of config files, outputs.conf on the forwarder is of interest.

Before all that, though, be sure to check network connectivity with ping(8) or ping.

link

answered 19 Feb '10, 21:48

V_at_Splunk's gravatar image

V_at_Splunk
8121414
accept rate: 42%

0

If you are sending data to a specific index. It has to be created on the indexer first. You can see if an index contains data (and when the first and last events arrived) in the web gui.

link

answered 03 Mar '10, 16:38

chris's gravatar image

chris
1.2k112
accept rate: 48%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×404
×30
×9

Asked: 19 Feb '10, 21:07

Seen: 2,213 times

Last updated: 23 Apr '10, 23:06

Related questions

splunk forwarder showing different events indexed than splunk indexer

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

Troubleshooting forwarder -> indexer connection

Filter windows events on indexer from a universal forwarder

Forwarder doest send events to Indexer after SSL activated. "ERROR pipeline"

can a universal forwarder serve as a relay between another forwarder and the indexer?

Passive Splunk Forwarder - Splunk Indexer actively querying it

Filtering events from forwarder at indexer

Universal forwarder with splunk indexer 4.1.7 - will it work?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.