Troubleshoot common issues with integrating a universal forwarder

Troubleshoot cloned systems not sending data

Data from cloned systems do not appear in Splunk Enterprise.

Take one or more of the following steps:
  • Check if the universal forwarder is running:
    sudo systemctl status Splunkd
  • To verify the configuration, list the Splunk indexes or other Splunk instances that the universal forwarder is configured to send data to: 
    /opt/splunkforwarder/bin/splunk list forward-server
  • Monitor logs in real time to detect issues in the universal forwarder operation:
    tail -f /opt/splunkforwarder/var/log/splunk/splunkd.log

Troubleshoot multiple systems reporting the same hostname

All cloned systems appear under the same hostname in the Splunk environment.

  1. Manually set the hostname by taking these substeps:
    1. Create or overwrite the inputs.conf file, if it already exists, in the local directory of the universal forwarder, and add the [default] stanza to it:
      echo "[default]" > /opt/splunkforwarder/etc/system/local/inputs.conf
    2. In the inputs.conf file, set a value of the host setting to the actual hostname of the machine where you execute the command:
      echo "host = $(hostname)" >> /opt/splunkforwarder/etc/system/local/inputs.conf
  2. Restart the universal forwarder:
    /opt/splunkforwarder/bin/splunk restart

Troubleshoot SSL authentication errors

The splunkd.log file reports connection errors.

Take one or more of the following steps:
  1. Verify network connectivity to the indexer:
    telnet indexer.company.com 9997
  2. Check authentication tokens in the outputs.conf file.
  3. If the Secure Sockets Layer (SSL) certificates are tied to the hostname, regenerate them.