Hi @AL3Z ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Hi, @livehybrid 

> I had placed the inputs.conf file within an app folder $SPLUNK_HOME/etc/apps/yourApp/local/inputs.conf only. 

> Splunk Forwarder and Splunk Server are installed on the same host,  yes forwarder deployment is sending its internal logs to the main instance. 

@AL3Z So you are seeing 2 hostnames in your internal logs?

And/Or sources from both: 
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log 
and
C:\Program Files\Splunk\var\log\splunk\splunkd.log 

Does the windows_logs index exist on your main Splunk instance?

In the context of the SplunkUniversalForwarder, can you run:

C:\Program Files\SplunkUniversalForwarder\bin\splunk cmd btool inputs list

Do your expected Windows inputs get listed?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Hi @livehybrid ,

I'm seeing only the 1 hostname in the internal logs.

Yes windows_logs index exist on main Splunk instance.

When i ran the btool cmd i can see the windows inputs list.

Thanks..

Hi @AL3Z 

Okay, so that tells us that the inputs on the UF should be working, however the single hostname in the _internal log is inconclusive, as if the UF is on the same server as the main instance it would have the same hostname unless you have specifically modified the serverName on one of the instance? As @gcusello mentioned, having both on the same server/machine will be making things more complicated.

Essentially what we're trying to establish here is if the flow isnt going from the UF, or if the input isnt working. Im starting to suspect that the data isnt going from the UF, so I think it would be good to establish some proof either way. 

If you search "index=_internal source=*splunkd.log" - How many source do you see in the interested fields on the left? If the UF is sending then you should see 2.

How have you configured the forwarding of the data from UF the main instance, and how have you configured the main instance to listen (Presumably on port 9997)?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Hi @livehybrid,

I did'nt modify the serverName on my instance.

If i search "index=_internal source=*splunkd.log" - I would see the 2  sources in the interested fields.

I had configured the forwarding of the data from UF and the main instance both using port 9997.

In real time uf and server should not be on the same machine right?

Thanks..