I cant connect my forwarder splunk and my enterprise splunk. I verified, by netstat, the connections and both tools are connected. However, in the Enterprise Splunk i cant see my forwarder splunk. I hope you can help me. Thanks.
When you say Splunk Enterprise can't see the forwarder, this could mean a few things.
If your using the deployment server, are you referring to Splunk not being able to see the forwarder? If so, then you need to add
deploymentclient.conf so Splunk Enterprise can see it.
If your not using the deployment server, you need to add an
outputs.conf to your forwarder, restart the service, and data will start flowing into Splunk.
Have you configured your forwarder with some inputs?
box-fresh a linux forwarder will not send anything, but a windows UF will prompt you to add some inputs during install.
You will however, get internal logs - have you looked for
index=_internal if its working, you should see logs for both the indexer and UF