I have this Heavy Forwarder apparently not sending its own _internal logs `$SPLUNK_HOME/var/log/splunk/*.log` to the indexers.
What I've already checked:
1. HF is working fine, delivering data which it's set to receive and forward.
2. HF is phoning Deployment server fine.
3. _audit index is being indexed fine.
4. Using `$ splunk list forward-server` I see it is properly set to send data only to correct indexers.
5. The logs are being written as expected and have proper reading permissions, e.g.:
`$ ls -ltr ~/var/log/splunk/splunkd.log
-rw------- 1 splunk splunk 12983503 Feb 26 11:43 /opt/splunk/var/log/splunk/splunkd.log`
6. Searching for _internal index into HF returns no results as supposed to be.
Any ideas about what is going on?
There is already a question about it in Answers, but not satisfying answered...
https://answers.splunk.com/answers/686484/why-are-internal-logs-from-heavy-forwarderhf-not-g.html
Thanks,
TCM
↧