Hi everyone, I have set a deployment apps with 3 clients, when I edit a file inside one of the app, it is correctly being changed in the local app inside the client.
In the client I have already installed a forwarder that should send the data to the deployment apps, the output.conf should be fine, I copy it a version:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = indexer1 [tcpout-server://indexer1:9997]
I m also listening the port 9997, but the data are not coming through and furthermore on the forwarding manager, under "phone home" there is a red triangle with an exclamation mark in the middle. what it means?
In the log file I didn't find anything useful, I can ping the client from the deployment apps and before to use the deployment app, the clients were sending the data.
Let me know, thank you.
You have a syntax problem. It should be
server = indexer1:9997
Also, you don't need this line at all - it is optional and does nothing for you.
I removed the last line, what's the meaning of it? And I already write the port after the indexer ._. Basically it is not phoning home ( I know, that sounds funny).
When I check on the splunkd.log, it say "splunk@indexer1:8089" invalid target and/or port
and connection with host=indexer1 failed
Port 8089 is normally assigned to splunkd - if it is, you can't use it for forwarding. What port do you write "after the indexer?"
At this point, it would be helpful to see (1) the current text of
outputs.conf and (b) the complete error message from splunkd.log. I assume that you are talking about the splunkd.log on the forwarder.
This is a copy and paste of the file:
defaultGroup = default-autolb-group
server = 10.38.76.82:9997
thank you, for your help : )
This outputs.conf file looks fine. Are you still getting the error? What is the full text of the error message in splunkd.log? What version of Splunk are you using?
the latest version of splunk. The message say : TcpOtputProc : UniversalForwarder not configured. Please configure outputs.conf
And all my clients are not "phoning home"
For the phone-home: every one of the clients needs to have a deploymentclient.conf file that points to the deployment server. This has to be done manually the first time - there is no way to deploy the initial deploymentclient.conf file via the deployment server!
Your deploymentclient.conf file should point to the deployment server like this:
[deployment-client] [target-broker:deploymentServer] targetUri=YourDeplServer.YourCo.com:8089
Note that deploymentclient.conf points to the splunkd process (usually on port 8089) - NOT the forwarding/receiving port! If this file is correct, then that should solve the "phone home" problem. And once the clients phone home, they should be updated with the appropriate apps / configuration files.
Your outputs.conf file seems fine. Your server does have to include the port, like this
server = 10.38.76.82:9997
Note that in outputs.conf, you must specify the port where the indexer(s) is listening.
Finally, have you configured the indexer(s) to listen on port 9997?
Yes, I used
splunk set deploy-poll indexer1:8089
to point the indexer to the forwarder, also if I use ./splunk show deploy-poll, is working fine.
in the output.conf I'm using only the 9997 port, that is open and it is listening, I have also checked using telnet.
Any other ideas?
Maybe I can add that 2 clients are windows and 2 clients are linux? does this change anything?