topic Re: help please : inputs problem in Getting Data In

help please : inputs problem

neermine — Wed, 15 Aug 2018 08:01:50 GMT

hi i have configurate my universal forwarder and splunk so i can find my machine in the host list of splunk .. but i think i have a problem in the inputs.conf because i can't find the sourcetype and the indexer that i have creat

Re: help please : inputs problem

FrankVl — Wed, 15 Aug 2018 08:59:52 GMT

You're showing the inputs.conf on the UF, what does the rest of your setup look like? Have you also configured outputs.conf to send the data to your indexer? Have you set up this index on your indexer?

You'll need to describe your problem a bit better for anyone to be able help you solve it.

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 09:44:14 GMT

yes i configured outputs.conf and the forwarder status of the UF is configurate and active
in the host list of splunk i can find my machine name
i configure the tcp port 9997
but what did you mean by set up the index on your indexer ?

Re: help please : inputs problem

FrankVl — Wed, 15 Aug 2018 09:52:45 GMT

You configured index=me in your inputs.conf. Did you also actually create that index on your indexer (your splunk enterprise instance)?

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 13:29:44 GMT

yes i did but it has no events

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 13:35:10 GMT

You should look at the forwarder logs and see if its sending data. You can see this by going to /top/splunkforwarder/var/log/splunk/splunkd.log and this will tell you if its sending its logs to the indexer(s). You can also do a quick search to see if any logs are present. Assuming this is a relatively new setup, you can set your time range to all-time

| metasearch index=me

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 13:49:46 GMT

metasearch index=me didn't give me any result and i think the forwarder is not sending logs to the indexer

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 14:03:52 GMT

Most likely. You should check out the forwarder logs and see what the forwarder is complaining about. Also, can you do a telnet from the forwarder to the indexer?

From the forwarder machine, go to your cmd prompt and do a telnet <indexIP> 9997 and see if it connects. The forwarder logs will also tell you if its being blocked. Either way works

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 15:17:24 GMT

when do telnet 10.10.1.1 9997 an empty black window opens with the name telnet 10.10.1.1

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 15:27:29 GMT

This means your forwarder can successfully connect to the indexer on that port, so you do not have a firewall issue, most likely a configuration issue. Have you confirmed the file your monitoring has data? Did you restart the Splunk service after updating your inputs?

What is the forwarder log saying? If its a windows machine you can check under

C:/Program Files/Splunkforwarder/var/log/splunk/splunkd.log

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 15:40:20 GMT

This is how it looks like.
And what did you mean by confirm the file you're monitoring has data?

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 16:08:48 GMT

Your image doesn't work.. You can simply look through the file and identify if there are errors. If there are errors then you need to chase down what they are

Do you have a log file under C:\var\log\splunk*.log? Does that log file have data?

I don't see an index defined for your perfmon data, have you checked index=main to see if its there? Try this (Don't forget to include the leading "|")

| metasearch index=*

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 16:32:43 GMT

i didn't find an error file

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 16:40:29 GMT

Your selectively answering my questions.. Please go back and look over the questions I asked and verify

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 16:42:43 GMT

when i do splunk list inputstatus i find this https://postimg.cc/image/8chpezujl/
so i changed [monitor:/C:\var\log*.log] by [monitor:\\var\log*.log]
https://postimg.cc/image/ked39aoe9/![alt text]2

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 16:46:57 GMT

You're ignoring my questions...

Have you confirmed there are logs under C:\\var\log*.log OR \var\log*.log? You're also missing a C:\ in your new stanza. You MUST restart the splunk service after changing inputs. Have you also looked under index=main?

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 16:55:12 GMT

sorry , i have log files under var\log\splunk and they have data
in splunkdlog i didn't find an error
i looked under index= main and i find all events with host= the machine of my forwarder and source and sourcetype = WinEventLog:Security
and i didn't find my index or my sourcetype
and when i do | metasearch index= me i have no result

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 17:05:34 GMT

This means your forwarder is working as expected and you have a misconfiguration in your stanza for index=me.

Can you give me the full path includign the log file name?

I'm assuming its C:\var\log\splunk\<logname>.log?

Re: help please : inputs problem

neermine — Wed, 15 Aug 2018 17:18:40 GMT

C:\var\log\splunk\splunkd.log or
C:\var\log\splunk\health.log

with *.log i did mean any log file

Re: help please : inputs problem

skoelpin — Wed, 15 Aug 2018 17:32:16 GMT

Update your inputs.conf with the stanza below. If this works then you can replace splunkd.log with *.log. You must restart the splunk service to verify this is working. Once you restart, you should then put the timerange picker to all-time then run | metasearch index=me

[monitor://C:\var\log\splunk\splunkd.log]
index=me
sourcetype=log

If this doesn't work then it could be a permissions issue.