Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk forwarder not detected

emreorhan
Engager
3 weeks ago

Hello everyone,

I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section, I get an error like in the other image. Can you help me resolve this issue?

emreorhan_0-1730557577741.pngemreorhan_1-1730557596600.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jawahir007
Communicator
3 weeks ago

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

emreorhan
Engager
3 weeks ago

@PickleRick , @jawahir007 

Thank you for your responses; my issue has been resolved.

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

To elaborate on @jawahir007 's answer.

What you see "in settings" is forwarder monitoring. It only shows you what it can read from forwarder's internal logs sent to your Splunk server. It shows your forwarder so it means your output on the forwarder is set correctly to your Splunk server and the data if properly forwarded. I'm assuming so far no "production" data is being forwarded, just the internal forwarder's logs.

What you're trying to do - add an input from remote forwarder is something completely different which is done with a Deployment Server functionality. Typically in a big setup a Deployment Server is an additional server which "governs" configuration of its deployment clients (usually forwarders). In your case, as you have just one Splunk server, you must point your forwarder to your server as @jawahir007 showed. BTW, in production use you normally don't use the GUI to add remote inputs but that's a story for another time 😉

0 Karma
Reply
Solved! Jump to solution
Solution

jawahir007
Communicator
3 weeks ago

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...