Splunk Universal Forwarder not sending data to Indexer

Question

I am reading different logs from same source folder. But not all files are getting read, one stanza works other don't. If i restart the UF, all stanzas work, but changed data is not capturing by one stanza.

files i am planning to monitor below files

performance_data.log
performance_data.log.1
performance_data.log.2
performance_data.log.3

performance.log
performance.log.1
performance.log.2

SystemOut.log

my input.conf file

[default]
host = LOCALHOST

[monitor://E:\Data\AppServer\A1\performance_data.lo*]
source=applogs
sourcetype=data_log
index=my_apps

[monitor://E:\Data\AppServer\A1\performance.lo*]
source=applogs
sourcetype=perf_log
index=my_apps

[monitor://E:\Data\logs\ImpaCT_A1\SystemOu*]
source=applogs
sourcetype=systemout_log
index=my_apps

\performance_data.lo* and \SystemOu* stanzas working fine, but performance.lo* stanza not working. only sends data when i restart the UF (universal forwarder), but changes were not sending automatically like other stanzas did. Anything i am doing wrong here ?

Ramkumar Ramkumar · Accepted Answer · 2020-09-03T06:39:44

It may be the buffer speed got exceed the limit so forwarder unable to send data to splunk so try to add in input.conf like below and create limit.conf in local path

input.conf

[monitor://E:\Data\AppServer\A1\performance.lo*]
source=applogs
sourcetype=perf_log
index=my_apps
crcSalt = <SOURCE>

limits.conf

[thruput]
maxKBps = 0

Splunk Universal Forwarder not sending data to Indexer

1 Answers