Hello,
I am having an issue with logs coming into my instance of Splunk Enterprise (version 6.2.2) through a Linux server with the universal forwarder installed.
I have the server properly whitelisted in my serverclass.conf, ports 9997 and 8089 are also allowed through the firewall between the forwarder and the indexer, the server is able to phone home in my server class, and I can see in metrics.log that my address is connected and is sending events: connect_close and connect_done to my Splunk server.
Despite all of this, I cannot search through any of the logs in the Search & Reporting app. I made sure I have the right location for the logs in the server class and in the server itself. Everything should be fine and logs should be coming in normally (like my other servers) but this one is still not working correctly.
Does anyone have any ideas as to why this is happening and have any suggestions for some troubleshooting steps?
↧