I have Splunk at work and am new to it so I want to learn as much as I can. I installed it at home on my Windows 7 PC and I installed the Forwarder on another Windows 7 PC. Can I use Splunk in this none-domain environment? I'd like the other PC to forward events so I can learn how to search and interpret both localhost data as well as remote data.
Yes, absolutely. I have several such setups.
On your "main" full install of Splunk, go to Settings and then Forwarding and Receiving. Down in the section Receive data click the Configure receiving and make sure you are listening on 9997 for data. If you don't see that or don't see that port set up, follow the instructions in the first 3 (small and easy) sections in the docs for setting up receiving. I don't have an "unconfigured" Splunk system available to see exactly what it looks like if you don't have receiving set up.
Also make sure you can get to and see data with a search like "index=*" from "http://localhost:8000" on that machine.
Once that's working I would - for the sake of being easy and certain - go to your universal forwarder ("UF") machine and uninstall the SplunkUniversalForwarder. Check C:\Program Files\ afterward for a SplunkUniversalForwarder folder and if you find one, delete it. We're going to reinstall with the setting enabled to forward that machine's logs to your "main" Splunk server, and enable some extra logs while we're at it.
To do so, download the latest UF again for your version of Windows from the Forwarder download page and double-click it to install. This time through the installer follow along the UF install on Windows in the docs with a "Customize Options" install. In the Customize options, you'll want to leave most things at their default - I'll repeat all the pertinent steps from their instructions here:
Download, double-click blah blah we know that part.
Select the Check this box to accept the License Agreement check box and click the Customize Options button at the bottom.
Leave the path the same and click Next
Ignore the SSL settings and click Next
Leave it at local system and click Next
For windows inputs, select all Event Logs ones and all Performance Monitors and click Next
Let it install the included Splunk Add-on for Windows and click Next
Leave the Deployment Server blank and click Next
Change the Receiving Indexer to your main splunk's IP:9997 (like 192.168.0.51:9997) and click Install
Give that a bit to finish, and another few minutes and you should start seeing TWO hosts in your index=*
search!
Yes, absolutely. I have several such setups.
On your "main" full install of Splunk, go to Settings and then Forwarding and Receiving. Down in the section Receive data click the Configure receiving and make sure you are listening on 9997 for data. If you don't see that or don't see that port set up, follow the instructions in the first 3 (small and easy) sections in the docs for setting up receiving. I don't have an "unconfigured" Splunk system available to see exactly what it looks like if you don't have receiving set up.
Also make sure you can get to and see data with a search like "index=*" from "http://localhost:8000" on that machine.
Once that's working I would - for the sake of being easy and certain - go to your universal forwarder ("UF") machine and uninstall the SplunkUniversalForwarder. Check C:\Program Files\ afterward for a SplunkUniversalForwarder folder and if you find one, delete it. We're going to reinstall with the setting enabled to forward that machine's logs to your "main" Splunk server, and enable some extra logs while we're at it.
To do so, download the latest UF again for your version of Windows from the Forwarder download page and double-click it to install. This time through the installer follow along the UF install on Windows in the docs with a "Customize Options" install. In the Customize options, you'll want to leave most things at their default - I'll repeat all the pertinent steps from their instructions here:
Download, double-click blah blah we know that part.
Select the Check this box to accept the License Agreement check box and click the Customize Options button at the bottom.
Leave the path the same and click Next
Ignore the SSL settings and click Next
Leave it at local system and click Next
For windows inputs, select all Event Logs ones and all Performance Monitors and click Next
Let it install the included Splunk Add-on for Windows and click Next
Leave the Deployment Server blank and click Next
Change the Receiving Indexer to your main splunk's IP:9997 (like 192.168.0.51:9997) and click Install
Give that a bit to finish, and another few minutes and you should start seeing TWO hosts in your index=*
search!
You know, rich7177, if documentation, man pages, how-to guides, and such were as well written and thorough as what you composed our tech lives would be so much more rewarding and so less complicated. Thank you for such an excellent guide. The only thing I did extra was open port 9997 up on the firewall of my Splunk server. I now have two hosts showing up.
Thank you so much.
You are welcome!
I must admit I pulled most of those steps right out of their own documentation - they even include screenshots.
Though Splunk is an awesome product that does wonderful things, I think what really sets it apart is the quality of the documentation and the community that surrounds it.
Stop back if you have more questions!
if rich's answer solved your problem, be sure to "accept" his answer! thanks 🙂