topic Re: Universal Forwarder on Windows in Getting Data In

Universal Forwarder on Windows

pfabrizi — Mon, 21 Aug 2017 17:46:33 GMT

I am testing install of universal forwarder for windows. I am running 6.5.1 enterprise splunk but the universal forwarder I installed on windows is 6.6.2.

I get these errors:
is a compatibility issue?

8-21-2017 13:16:00.593 -0400 WARN TcpOutputFd - Connect to 10.83.180.135:9997 failed. A socket operation was attempted to an unreachable network.

8-21-2017 13:16:00.593 -0400 ERROR TcpOutputFd - Connection to host=10.83.180.135:9997 failed

Re: Universal Forwarder on Windows

tmarlette — Mon, 21 Aug 2017 17:55:44 GMT

using a few assumptions, i'm going to guess that 10.83.180.135 is your indexer? (port 9997 is the default data port)

If that's the case, there's a connectivity issue between the two machines. Try telnet tests / ssh tests and resolve as a standard connectivity issue.

Re: Universal Forwarder on Windows

skoelpin — Mon, 21 Aug 2017 20:13:38 GMT

It's not a compatibility issue, it's an issue with your forwarder connecting to your indexer. Did you enable receiving on the indexer? If not, go to Settings > Forwarding & Receiving > Enable Receiving and add port 9997 to listen

Re: Universal Forwarder on Windows

pfabrizi — Tue, 22 Aug 2017 10:30:31 GMT

I have other windows servers sending on 9997. I do have a question on which outputs.conf gets used.
I have 3 of them.

etc\apps\splunkuniversalforwarder\default
etc\system\default
etc\system\local - this is the one I changed.

where should it be?

Thanks!

Re: Universal Forwarder on Windows

pfabrizi — Tue, 22 Aug 2017 11:57:13 GMT

so I have it forwarding now, I was missing an inputs.conf configuration. It was out of box default, I guess.

what I do have a question is the folder structure.

My other Windows server has as custom configuration folder, that I think was pushed to it from the deployment server?

I am not really sure since we had a consultant set all this up and I haven't had any training to date.

Re: Universal Forwarder on Windows

tmarlette — Tue, 29 Sep 2020 15:28:56 GMT

You will likely need some training my friend. I suggest the administration course. Check here:
https://www.splunk.com/view/SP-CAAAAH9?ac=News_Feb09_EDU

the only folders that override /$SPLUNK_HOME/etc/apps/ are
$SPLUNK_HOME/etc/system/

also, there should never be a reason to touch /etc/system/default. bad things can happen if you mess up there and there's no fall back. you changed the right one in /etc/system/local. Always make changes there.

if you have conflicting configurations, it's common that there's something in /etc/system/local.

folder priority is a pretty dense topic with splunk, and depends heavily on your architecture.

Also... if you manipulated your forwarder manually, you may want to check others for a deploymentclient.conf file somewhere either in /etc/system/apps/ OR in /etc/system/local.

If you're using a DS, there is a default configuration ANY windows forwarder will pull down as soon as it connects.