I am trying to setup a universal splunk forwarder but I think I am missing something.
On restart splunk forwarder is starting? here is attached screenshot
but in Select Forwarders screen its not appearing. here is attached screenshot
I think i am messing up with outputs.conf.
Any help would be appreciable
You most likely forgot to tell your UF where your central Splunk instance is located. On a Windows UF, you could do this during installation (it's asking for a Deployment Server IP).
After installation, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe set deploy-poll IP:8089
, where IP is the IP/hostname of your central Splunk instance.
Alternatively, and cleaner for later management, would be to go to Splunk UF install directory, go to subdirectory etc/apps
, create a new directory deploymentclient-config
, create a subdirectory default
, create a file named deploymentclient.conf
, put this in the file:
[deployment-client]
[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089
Again, replace it with your IP/hostname.
If that doesn't work, check for a firewall issue between UF and central Splunk.
You most likely forgot to tell your UF where your central Splunk instance is located. On a Windows UF, you could do this during installation (it's asking for a Deployment Server IP).
After installation, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe set deploy-poll IP:8089
, where IP is the IP/hostname of your central Splunk instance.
Alternatively, and cleaner for later management, would be to go to Splunk UF install directory, go to subdirectory etc/apps
, create a new directory deploymentclient-config
, create a subdirectory default
, create a file named deploymentclient.conf
, put this in the file:
[deployment-client]
[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089
Again, replace it with your IP/hostname.
If that doesn't work, check for a firewall issue between UF and central Splunk.
Thanks a lot for replying..
I made required changes and restarted splunk
I am getting below message in var/logs/splunk
05-01-2018 11:14:19.763 +0530 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...
05-01-2018 11:14:26.129 +0530 WARN TcpOutputProc - Cooked connection to ip=10.1.1.200:9997 timed out
05-01-2018 11:14:26.229 +0530 WARN TcpOutputProc - Cooked connection to ip=34.224.249.175:9997 timed out
05-01-2018 11:14:30.228 +0530 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
05-01-2018 11:14:39.727 +0530 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
05-01-2018 11:14:39.727 +0530 INFO HttpPubSubConnection - Could not obtain connection, will retry after=77.394 seconds.
05-01-2018 11:14:42.229 +0530 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
Okay, your connections time out. In 99% of all cases, this is a firewall related problem, because firewalls tend to silently drop requests that are not allowed, creating timeouts when trying to connect.
You should check with your network security people, they're most likely able to help you.
I opened 8089 port from firewall
for both inbound and outbound calls
I am configuring a splunk cloud with a universal forwarder in my local machine.
I think i am providing wrong deployment server.
I provided domain of splunk cloud url as deployment server. is that correct?
Ah, I missed the part about Splunk Cloud.
The docs say this:
To enable you to use Splunk Web to
manage forwarders and configure data
inputs) In the Deployment Server
dialog, enter your Splunk Cloud
hostname in the Hostname or IP field.
Specify the URL provided in your
Welcome email, omitting the leading
https:// and preceding the URL with
"input-". For example:
input-prd-p-z41nh2qlt7cx.cloud.splunk.com.
(Note: When you install the universal
forwarder on other platforms, you must
configure the deployment server/client
settings manually by editing .conf
files. On Windows, this logic is
included in the installer.)
Check this: https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/User/ForwardDataToSplunkCloudFromWindows
Great... it worked
Many many thanks man..