topic Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder? in Getting Data In

How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun — Thu, 05 Feb 2015 00:48:46 GMT

I've noticed customers having problems with the current 6.2.1 Online Sandboxes. As of last month, the UI has changed significantly with the new upgrade.

Customers used to have to manually enter their outputs.conf, but thats changed now. How do you do it?

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun — Thu, 05 Feb 2015 01:01:07 GMT

Now with the new version of Splunk, you can get your Forwarder Configuration app right from the GUI. It contains all the settings to setup security and tell the forwarder where to send your machine data.

From the Launcher app (default landing page)

Look on the left of the screen and click the forwarder app

From there you will download your forwarder config app.

Follow the instructions and you are good to go.

Inside there are a bunch of files, but notice the outputs.conf, and see the server= setting on the line below. So you aren’t using the same FQDN as you use for the UI.

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-blah.cloud.splunk.com:9997
sslCommonNameToCheck = blah.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = fdf1c4601674ddd5fca3db0486d927db
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Give that a whirl and let me know what you think.

Regards,
Kyle

PS One note on WINDOWS forwarders. During installation, the wizard asks you to enter Deployment Server and Receiving Indexer FQDNs or IPs. LEAVE THEM BLANK.
The .spl package will configure your receiving indexer(s) for you, and unless you have an on premise DS, then leave it blank. Else, your data will never show up and you will be unhappy.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

malkiz_walkme — Thu, 19 Mar 2015 10:00:43 GMT

Does this also work on windows?
What are the commands I should run? (instead of the *nix paths)
How do I know if it worked?

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

delzinga — Tue, 09 Jun 2015 17:04:43 GMT

Wow, the confusion and major lack of user friendly install directions is terrible. I considered using Splunk, but I've spent more time trying to install/configure for this Sandbox that it's no longer worth my time.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun — Tue, 09 Jun 2015 18:23:03 GMT

Yes, it works on Windows too. Just run the same splunk install app from the "C:Program Files\\splunkforwarder\\bin" directory (or wherever %SPLUNK_HOME%\\bin lives.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun — Tue, 09 Jun 2015 18:25:42 GMT

note this app took out the backslashes, but you should not.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

Cuyose — Wed, 23 Sep 2015 15:34:53 GMT

Odd, this did nothing when I ran it. no output at all and none of my outputs.conf files were edited. there seem to be no actual windows commands in the docs.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun — Fri, 25 Sep 2015 18:10:54 GMT

@Cuyose can make a diag and create a ticket and upload it? PM me at kyle@splunk.com the case # and we can take a look.

Re: How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

avaikar — Tue, 29 Sep 2020 13:26:55 GMT

Doesnt seem to work for me.
This is what I see in the log:

04-03-2017 15:38:31.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:34.429 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:38:34.429 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=32.804 seconds.
04-03-2017 15:38:43.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:55.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:57.482 +0000 ERROR TcpOutputFd - Connection to host=52.201.237.113:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
04-03-2017 15:39:07.441 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:39:07.442 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=63.757 seconds.

I tried telnet to the IP & port, and that seems to go through.

Missed mentioning that this is on ubuntu.

The outputs.conf is:

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = 8997f53906a6bc9140a895e78335143b
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true