Blog tagged as Data Frowarding Issues
Scenario-6: Except 1 source other sources are sending logs from same forwarder.
Root Cause: Data input was disabled during previous deployment.
Solution: Enable the data input & check if the data starts flowing for the respective source.
Root Cause: Data input was disabled during previous deployment.
Solution: Enable the data input & check if the data starts flowing for the respective source.
13.06.24 10:46 PM - Comment(s)
Issue: Forwarder is not sending data
Scenario-5: Forwarder error logs say, Indexers are not reachable
Root Cause:
9997 port is not open in Security Groups inbound & outbound rules.
Solution:
Enable 9997 port in the outbound of the Forwarder & inbound of the Indexer
Root Cause:
9997 port is not open in Security Groups inbound & outbound rules.
Solution:
Enable 9997 port in the outbound of the Forwarder & inbound of the Indexer
13.06.24 10:43 PM - Comment(s)
Data Forwarding Issues:
Issue: Forwarder is not sending data.
Scenario 3: None of the logs are available in Indexer for last few hours, even Indexer’s internal logs.
Root Cause:
The Indexer Disk size was full.
Solution:
Increase the Indexer Disk/Storage size
(or)
Remove unwanted data from the Indexer, Like ...
13.06.24 10:26 PM - Comment(s)
Data Forwarding Issues:
Issue: Forwarder is not sending data
Scenario 2: Forwarder is running & was sending data earlier, has all the access
Root Cause:
Forwarder had indexer IP in outputs.conf, the corresponding indexer was down
Solution:
Bring up the Indexer
(or)
Enable Indexer...
13.06.24 10:22 PM - Comment(s)
Data Forwarding Issues:
Issue: Forwarder is not sending data
Scenario-4: Intermittent data flow -But the source is producing the data live
Root Cause:
Sudden burst of incoming data, leads to stall the forwarder queue
Solution:
This is expected in few scenarios where the data sources are too many. One way ...
13.06.24 10:22 PM - Comment(s)
Data Forwarding Issues
Issue-3:
The Forwarder is not sending data
Scenario-1:
No logs are sent by forwarder, even internal logs
Root Cause:
The forwarder is stopped due to a source server restart done by the Application team
Solution:
Enable boot start for forwarder, this will make sure t...
13.06.24 10:15 PM - Comment(s)
Categories
Tags
- Data Replication Issues
- Data Frowarding Issues
- App Deployment Issues
- Indexers down 3-member cluster
- Two Indexers down 3-member cluster
- All Indexers down 3-member cluster
- Search Heads down 3-member cluster
- Two Search heads down 3-member cluster
- All Search Heads down 3-member cluster
- Deployer is down
- Monitoring Console down
- Deployment Server down
- Universal Forwarder down
- License Server/Manager down
- Decide number Search Heads & Indexers
- how to choose forwarder (UF or HF)
- Intermediate Forwarder (IF))
- Licence Forwarders
- can't use single instance with huge size instead separatly
- How splunk stores Indexes
- Possible open flat files in Notepad++
- Possible rename index
- clean index splunk instances & indexer cluster
- Migrate index 1 splunk server to another splunk server
- Backup splunk configuration/data
- upgrade splunk enterprise
- upgrade splunk enterprise which clustered
- Upgrade the Splunk Universal Forwarder
- Deploy apps to search head clusters
- Deploy Apps indexer Cluster
- Connect Forwarders to indexer cluster
- Difference between Heavy forwarders & HTTP Event collector
- Cluster Master is down Then need a cluster master
- colocation of splunk components
- meant colocation splunk components
- Deployment server to distribute apps to search head cluster & indexer
- reduce licence in splunk
- why need license master/server
- Replication Factor lower than search factor
- Timestamp Issues
- Event Truncation Issues
- Retention Plicy Issues
- SAML Issues
- Parsing Issues
- File Monitoring Issue
- Configuration Issue
- Summary Index Issues
- Deployment Issues