topic Re: Forwarders configuration in Getting Data In

Forwarders configuration

andreac81 — Tue, 29 Sep 2020 14:21:05 GMT

Hi to all, I configured a forwarder as following

In Splunk Server:
- in /opt/splunk/etc/deployment-apps I copyed the forwarder apps (fwd_common, fwd_jboss,..)
- in /opt/splunk/etc/deployment-apps/fwd_common/default/outputs.conf I inserted

[tcpout]
defaultGroup = ovdgroup

[tcpout:ovdgroup]
server = splunkserverIP:9997
autoLB = true

in /opt/splunk/splunk/etc/system/local/serverclass.conf I inserted

[serverClass:FWD_JBOSS]
whitelist.0 = monitoredserverhostname

[serverClass:FWD_COMMON]
whitelist.0 = monitoredserverhostname
I set the inputs.conf files in order to analyze log files.

In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed.

The indexes that should be populated by jboss log files are empty.

Wich checks can I perform in order to understand why indexes are empty?

Thanks,
Andrea

Re: Forwarders configuration

adonio — Fri, 09 Jun 2017 12:46:32 GMT

hello there,
try this article:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata
also, did you set your app to restart splunkd? enable restart configuration, might be needed when adding inputs.
good way to check is to search index =_intrenal host=yourhost
if theres data, it means the inputs did not apply
if there is not, check also outputs
hope it helps

Re: Forwarders configuration

andreac81 — Fri, 16 Jun 2017 14:26:43 GMT

I tried following search

index =_internal clientip=10.95.1.119

All results are like

16/06/17 10.21.08,858   
10.95.1.119 - - [16/Jun/2017:10:21:08.858 -0400] "POST /services/broker/phonehome/connection_10.95.1.119_8089_10.95.1.119_hostname HTTP/1.1" 200 1126 - - - 1ms
host = splunk-server.novalocal source = /opt/splunk/splunk/var/log/splunk/splunkd_access.log sourcetype = splunkd_access

I think the only activity is the "phonehome/connection" but not log file forward.
Have I failed to install forwarder? I've read http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata but it's seems to be ok.

Thanks

Re: Forwarders configuration

adonio — Fri, 16 Jun 2017 14:59:16 GMT

does you host sends data to splunk?
index=_internal host=yourUniqueHost
can you look at the host file structure?
go to splunkforwarder/etc/apps/ and make sure you see the apps you are trying to deploy
hope it helps

Re: Forwarders configuration

andreac81 — Sat, 17 Jun 2017 21:11:16 GMT

If I search for index=internal the only host present is the spkunk server, so I think clients aren't sending data.
But In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed, so where the bug is?

Re: Forwarders configuration

adonio — Sun, 18 Jun 2017 20:25:40 GMT

look here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Updating/Useserverclass.conf
your severclass.conf is off.
will recommend to start with the GUI by creating a serverclass, adding clients and adding apps
then go to back-end and look at the serverclass.conf that splunk created.
the logic can be sometimes a little confusing