topic Re: Data not readable on receiver in Splunk Dev

Data not readable on receiver

eholz1 — Fri, 10 May 2019 18:01:24 GMT

Hello All,

I have a question. It seems that I am unable to correctly configure a relationship from
a server which has the Universal Forwarder installed (and acts like it is forwarding data)
On the forwarder I have inputs set to a log file, and outputs set to the Splunk Enterprise Server.

I have attempted to (via the web interface and the cli) to configure a "receiver" to everyone's favorite port: 9997.
I have not configured any thing in "Data Inputs" or "Monitoring" on the Splunk Enterprise server.
I get NO data from the server with the Universal Forwarder installed.

If I delete the receiver port (9997) - go to the Add Data area, select Monitor - and then add port, ip, a generic one line sourcetype,
and an index - I get data in, but all unreadable slashes and zeros, etc.

So my question is - what am I missing here?

Thanks

eholz1

Re: Data not readable on receiver

woodcock — Fri, 10 May 2019 19:21:12 GMT

Show us the contents of each inputs.conf and outputs.conf file and which server has it.

Re: Data not readable on receiver

eholz1 — Wed, 30 Sep 2020 00:29:29 GMT

Will do:
These files are in /opt/splunkforwarder/etc/system/local

From the server with Universal Forwarder installed:
outputs.conf:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997, cacti_index:9996
[tcpout-server://10.48.11.69:9997]

inputs.conf - file is empty no entres only [default]
if I do a ./splunk list monitor it shows the file that I want to monitor

I have a file: deployement.conf:
[target-broker:deploymentServer]
targetUri = 10.48.11.66:9997

On the Splunk Enterprise Server:
configured from the web gui

I did take a look at the README dir - I will check my confg on the forwarder

Thanks,

Eholz

Re: Data not readable on receiver

woodcock — Sun, 12 May 2019 04:57:09 GMT

Your outputs.conf on the UF should only have this:

[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997

You also need an inputs.conf like this in your indexer:

[splunktcp://9997]

Re: Data not readable on receiver

eholz1 — Mon, 13 May 2019 14:36:36 GMT

Hello Mr. Woodcock,

I do still have questions. The universal forwarder seems to be OK. Will incorporate your changes. I may be going to the wrong place to get, or setup the data on the Indexer.

I assumed that part of the configuration on the indexer is: Go to settings, then "Receiving and Forwarding" and set the TCP port there for receiving. When I do this I do not get any data. If I delete this setting, and go to "Settings", Data Input, and monitor Local TCP/UDP,
I get data. If I go down to the :Forwarding and Receiving section in Data Input, I get no data using "get forwarded" data. I am guessing that is lower section in the dialog window is really for an indexer that is set up as a receiver or forwarder. Is this correct?

And - thanks for the post, it is very helpful

eholz1

Re: Data not readable on receiver

eholz1 — Mon, 13 May 2019 21:51:25 GMT

One more note - followed your suggestions, and after restarting the Uni Forwarder and the splunk indexer.
with your suggestions, it actually works! I am in shock. Now for my field extractions!

Thanks Again,

eholz1