Skip to main content
Splunk Lantern

Troubleshooting data not coming in from a Universal Forwarder


It can be frustrating when you're not receiving data from a universal forwarder (UF), because after all your hard work and configuration, you go to look in your index in Splunk and find that there are no events found. There may be multiple reasons for this, however, being able to use internal logs to your advantage can narrow it down.


First level triage

  • Can the Splunk platform read the directory or file you want it to monitor?
  • Are there communication issues between your UF and your indexer?
    • You can see this from the _internal logs e.g. index=_internal log_level=ERROR
    • Or similar, if the UI is disabled on the UF, you will have to manually navigate to the $splunkhome/var/log/splunk/splunkd.log
  • Is a restart of the UF required for the changes you have made?

Communication issues

If all of the above is all working as is expected, then you can move on to looking at your end point-indexer communication.

  • Check if the UF is connecting to the indexer:
    • index=_internal source=*metrics.log* tcpin_connections | stats count by sourceIp
  • Check if the index you have specified in your inputs.conf exists.
  • Check your time range, adjust your search to All Time in case the timestamp is being read incorrectly.

Next steps

If you still need assistance with this procedure, UK-based Somerford Associates can help. Somerford Associates is an award winning Elite Partner with Splunk and the largest Partner Practice of Consultants in EMEA. We protect data, demonstrate that it is being managed effectively and derive greater value, by providing real-time insights to support effective decision making. With our specialist knowledge, skills, experience and strong reputation for enabling digital transformation at scale and at pace, we provide full delivery, including design, implementation, deployment and support. Find us on& Splunk Partnerverse.

The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.