From Splunk Wiki

Jump to: navigation, search

< Back to Troubleshooting

Troubleshooting setting up forwarding

These instructions assume that you have already followed the basic configuration instructions in the Admin manual, and you are not seeing data being indexed on your receiving instance -

Have you verified that a connection is being established between your machines? If you look in $SPLUNK_HOME/var/log/splunk/splunkd.log you should see connection confirmation events.

If yes to the above, have you verified that the forwarder is actually getting data to forward? To do this you can enable local indexing on your forwarder, so that it keeps a copy of any incoming data.

If data gets indexed locally, but is not making it to your indexing instance, there may be a firewall or network routing issue at fault. You can use tcpdump on your indexing server to verify that data is actually being received on the specified port.

After all of these checks, if you're still not seeing where the fault lies or where the data is going, please run a 'splunk diag' on both your indexer and your forwarder, create a case with Splunk SUpport and upload the diag output -

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk