I am trying to setup a forwarder on my server and its not working.
FYI - I have two servers:
1) Full splunk (trial version downloaded from splunk.com) installed.
2) only forwarder (also downloaded from splunk.com) installed.
I am following the below procedure to setup:
started ./splunk start on both the servers.
Logon web search using admin account and configured receiver (via manager option) with tcp port 8189
configured forwarder and specified the other server with port 8189(server 2) from where I need the data to be forwarded to this main splunk indexer (server A)
*Web login is using the server A (where main splunk instance is running).
With all this its not working. I have restarted the servers on both the instances after I configured receivers and forwarders.
Not sure of what is the actual procedure I should follow to make it working.
have you tried sending data to the indexer by setting up a monitor on the forwarder?
Also, have you done a search for index=_internal and seen what results are returned for host? You should see the forwarder's host.
Thanks for your response:). I have not done the monitor setup on forwarder.. After looking at your response, I tried to do some setup but cant find any tips on setting up monitor.. Please advise if any documentation or tips...
The Splunk Deployment Monitor is a separate app, see the documentation at http://docs.splunk.com/Documentation/DepMon/5.0.2/DeployDepMon/AboutSplunkDeploymentMonitorApp. Are you using the universal forwarder or the light forwarder (I know you said light but I'm double-checking)? Here is the information about searching for host information in index=internal: http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Deployanixdfmanually#Troubleshootyour_deployment.
If you haven't added any monitors on the forwarder, what data were you really expecting to see after your initial setup? Forwarders by default do not monitor anything at all...
Thanks Chris, I am using light forwarder. FYI to all. I am a newbie to splunk and have been trying to setup an environment on our infrastructure. I did not find any documentation earlier about monitor. Anyway, I have installed the Deployment Monitor now and tyring to see if I can do any configuration on either machines directly or on web to make sure I see the data from both the servers.
Based on my understanding, I expect to see some data on the indexer after I have configured receiver on main splunk installation server (using inputs.conf) and outputs.conf on the forwarder server (server B) where light forwarder is installed.
Any further advise would be helpful. Thanks in advance.
You might look at the var/log/splunk/splunkd.log file on the forwarder. It will give you clues on connectivity to your Splunk index server as well as the folders that it is monitoring. You will see errors in this file if it cannot connect to the indexer. The metrics.log file will also tell you what files it is actually processing and sending to the indexer.