https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212452#M41774 <P>I am in the middle of understanding an already built environment and trying to figure out how a splunk universal forward is configured. A brief about the environment , 3 search heads, 2 indexers, 1 deployment server and license master, and master node.</P> <P>In one of the forwarder configuration is configured as deployment client. But i don't find the outputs.conf either in apps or in system folders. But the forwarder is sending data to the indexers. Is there a way to find out how it sends by CLI or Any other conf file?</P> <P>Thank you in advance. </P> Sat, 05 Nov 2016 14:06:25 GMT nravichandran 2016-11-05T14:06:25Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212452#M41774 <P>I am in the middle of understanding an already built environment and trying to figure out how a splunk universal forward is configured. A brief about the environment , 3 search heads, 2 indexers, 1 deployment server and license master, and master node.</P> <P>In one of the forwarder configuration is configured as deployment client. But i don't find the outputs.conf either in apps or in system folders. But the forwarder is sending data to the indexers. Is there a way to find out how it sends by CLI or Any other conf file?</P> <P>Thank you in advance. </P> Sat, 05 Nov 2016 14:06:25 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212452#M41774 nravichandran 2016-11-05T14:06:25Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212453#M41775 <P>Hi nravichandran!</P> <P>Try running the 'list forward-server' command from the forwarder itself when looking to confirm if, and to whom, the forwarder is sending:</P> <PRE><CODE>splunker@n00b-splkufwd-01:/opt/splunkforwarder/bin$ ./splunk list forward-server Your session is invalid. Please login. Splunk username: admin Password: Active forwards: 10.10.31.216:9997 Configured but inactive forwards: None </CODE></PRE> <P>Also, btool is a must! Do yourself a huge favor and explore it as part of getting to know this enviro:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Usebtooltotroubleshootconfigurations">https://docs.splunk.com/Documentation/Splunk/6.5.0/Troubleshooting/Usebtooltotroubleshootconfigurations</A></P> <P>Splunk forwarders sending data must have an outputs.conf. You can use btool to get splunk to tell you, what configs, are coming from where: </P> <P>Here's an example</P> <PRE><CODE>splunker@n00b-splkufwd-01:/opt/splunkforwarder/bin$ ./splunk btool outputs list --debug /opt/splunkforwarder/etc/system/default/outputs.conf [syslog] /opt/splunkforwarder/etc/system/default/outputs.conf dropEventsOnQueueFull = -1 /opt/splunkforwarder/etc/system/default/outputs.conf maxEventSize = 1024 /opt/splunkforwarder/etc/system/default/outputs.conf priority = &lt;13&gt; /opt/splunkforwarder/etc/system/default/outputs.conf type = udp /opt/splunkforwarder/etc/apps/n00blab_ufw_base/local/outputs.conf [tcpout] /opt/splunkforwarder/etc/system/default/outputs.conf ackTimeoutOnShutdown = 30 /opt/splunkforwarder/etc/system/default/outputs.conf autoLBFrequency = 30 /opt/splunkforwarder/etc/system/default/outputs.conf blockOnCloning = true /opt/splunkforwarder/etc/system/default/outputs.conf blockWarnThreshold = 100 /opt/splunkforwarder/etc/system/default/outputs.conf compressed = false /opt/splunkforwarder/etc/system/default/outputs.conf connectionTimeout = 20 /opt/splunkforwarder/etc/apps/n00blab_ufw_base/local/outputs.conf defaultGroup = n00b-splkidx-02 /opt/splunkforwarder/etc/system/default/outputs.conf disabled = false /opt/splunkforwarder/etc/system/default/outputs.conf dropClonedEventsOnQueueFull = 5 /opt/splunkforwarder/etc/system/default/outputs.conf dropEventsOnQueueFull = -1 /opt/splunkforwarder/etc/system/default/outputs.conf forceTimebasedAutoLB = false /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf forwardedindex.0.whitelist = .* /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf forwardedindex.1.blacklist = _.* /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry) /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf forwardedindex.filter.disable = false /opt/splunkforwarder/etc/system/default/outputs.conf heartbeatFrequency = 30 /opt/splunkforwarder/etc/system/default/outputs.conf indexAndForward = false /opt/splunkforwarder/etc/system/default/outputs.conf maxConnectionsPerIndexer = 2 /opt/splunkforwarder/etc/system/default/outputs.conf maxFailuresPerInterval = 2 /opt/splunkforwarder/etc/system/default/outputs.conf maxQueueSize = auto /opt/splunkforwarder/etc/system/default/outputs.conf readTimeout = 300 /opt/splunkforwarder/etc/system/default/outputs.conf secsInFailureInterval = 1 /opt/splunkforwarder/etc/system/default/outputs.conf sendCookedData = true /opt/splunkforwarder/etc/system/default/outputs.conf sslQuietShutdown = false /opt/splunkforwarder/etc/system/default/outputs.conf tcpSendBufSz = 0 /opt/splunkforwarder/etc/system/default/outputs.conf useACK = false /opt/splunkforwarder/etc/system/default/outputs.conf writeTimeout = 300 /opt/splunkforwarder/etc/apps/n00blab_ufw_base/local/outputs.conf [tcpout-server://10.10.31.216:9997] /opt/splunkforwarder/etc/apps/n00blab_ufw_base/local/outputs.conf [tcpout:n00b-splkidx-02] /opt/splunkforwarder/etc/apps/n00blab_ufw_base/local/outputs.conf server = 10.10.31.216:9997 </CODE></PRE> <P>For windows CLI help see: <A href="https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/AbouttheCLI">https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/AbouttheCLI</A></P> Sat, 05 Nov 2016 14:45:27 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212453#M41775 mattymo 2016-11-05T14:45:27Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212454#M41776 <P>Thank you very much for a detailed reply. I was able to figure out that the outputs.conf are under /apps//local folder. I was exicited to run the btool but it does not work for me. I have a root account and run ./splunk cmd btool outpus list --debug. It does not give results nor throw any error.</P> Sat, 05 Nov 2016 20:17:34 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212454#M41776 nravichandran 2016-11-05T20:17:34Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212455#M41777 <P>you need to be under /opt/splunkforwarder/bin if it is a universal forwarder.</P> <P>also watch the typos!</P> <P>./splunk cmd btool outputs list --debug</P> Sat, 05 Nov 2016 20:49:32 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212455#M41777 mattymo 2016-11-05T20:49:32Z https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212456#M41778 <P>Thank you very much!</P> Sat, 05 Nov 2016 20:56:04 GMT https://community.splunk.com/t5/Getting-Data-In/Forward-data-to-Indexer-cluster/m-p/212456#M41778 nravichandran 2016-11-05T20:56:04Z