Universal splunk forwarder as sidecar not showing internal splunk logs

hemanth45 shared this question 3 months ago
Completed

I have implemented a sidecar container to forward my main application logs to splunk. Have used universalsplunkforwarder image. After I deploy both my main application and forwarder seems up and running. But anyway not recieving any logs in splunk index specified. To troubleshoot splunkd log or any specific splunk internal logs are not found in /var/log path. Can someone please help how we enable this splunk internal logs?

Replies (6)

photo
1

Hello hemanth45

Thank you for submitting this request to the Yellowfin Technical Support Team. My name is Ankit Asati and I will be supporting you with this issue.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

Hello hemanth45,


I hope you are doing well,

In order to assist you with request, I would require the name and email address of your company. Additionally, would you also please share the info.jsp


Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

Hello hemanth45

I wanted to follow up with you regarding the information I requested in my last email. This will allow me to further troubleshoot this issue and work towards a resolution. I know you may be busy but this information is necessary to solve this issue.

Thank you,

Ankit Asati

Yellowfin Technical Support

photo
1

Hello hemanth45

I wanted to follow up with you regarding the information I requested in my last email. This will allow me to further troubleshoot this issue and work towards a resolution. I know you may be busy but this information is necessary to solve this issue.

If you are unavailable right now, you can always contact us again at a later time by opening a new ticket. I will close this ticket by the end of business tomorrow if I do not receive a reply.

Please reply to this email and I will continue to work to resolve this issue.

Thank you,

Ankit Asati

Yellowfin Technical Support

photo
1

Hello hemanth45

I hope all is well,

Just wanted to let you know I'll be closing this request due to inactivity. However, you can always contact us again at a later time by opening a new ticket, we will be more than happy to help you.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

To enable and access Splunk internal logs within your sidecar container, follow these steps:

  1. Check Log Directory: By default, Splunk internal logs like splunkd.log are located in /opt/splunkforwarder/var/log/splunk/. If they are not found in /var/log, look in this directory instead.
  2. Enable Debug Logging: You can increase the verbosity of Splunk logs by modifying the SPLUNK_LOG_LEVEL in the splunk-launch.conf file, setting it to DEBUG to capture more detailed logs.
  3. Verify Configuration Files: Ensure that inputs.conf and outputs.conf are correctly configured to capture and forward logs to the specified index. Incorrect configurations might prevent logs from being forwarded or written.
  4. Check Permissions: Ensure that the Splunk Universal Forwarder container has the necessary permissions to write logs to the designated directories.
  5. Restart Splunk Forwarder: If changes are made to the configuration, restart the Splunk Forwarder within the container to apply the changes.

These steps should help you locate the Splunk internal logs and troubleshoot why logs aren't being forwarded to your specified Splunk index. ServiceNow CTA Training

Leave a Comment
 
Attach a file