Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

3 Forwarders shown in Deployment Monitor, but can search events from only one system

tonopahtaos
Path Finder
‎02-07-2012 10:50 AM

Hi,

I configured Splunk to receive events on port 9997 (the default value). Then setup 3 forwarders to send events to it. The first forwarder is Windows universal forwarder. The rest 2 are Linux universal forwarders. After that, i can see all 3 forwarders from Deployment Monitor.

But only events from first forwarder can be searched. So, I can only search Windows events. For other 2 Linux events, they are not shown in search summary page (only one host is shown on the Search/Summary tab's "Hosts" section). I can see total KB 1000Kb and 880Kb respectively for these Linux machines from Deployment Monitor's UI ('All Forwarders' tab) so Splunk does get events from these Linux boxes.

Anybody had this kind problem before?

TIA

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎02-07-2012 04:31 PM

I'll go out on a limb with a couple of assumptions. For the Linux inputs, are you using the Splunk for Unix/Linux app? When you search are you specifying any indexes?

The Splunk for Unix/Linux application will send all of it's data to index=os, but from the Search app, the default out of the box index you'll be searching will be default/main, so you wouldn't find any data, nor would the Search Summary page show any of this data by default.

Add the following to your search, or use the *Nix app page (which does it for you)
index=os

View solution in original post

Reply
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎02-07-2012 04:31 PM

I'll go out on a limb with a couple of assumptions. For the Linux inputs, are you using the Splunk for Unix/Linux app? When you search are you specifying any indexes?

The Splunk for Unix/Linux application will send all of it's data to index=os, but from the Search app, the default out of the box index you'll be searching will be default/main, so you wouldn't find any data, nor would the Search Summary page show any of this data by default.

Add the following to your search, or use the *Nix app page (which does it for you)
index=os

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...