Deployment Architecture

Splunk forwarder not detected

emreorhan
Engager

Hello everyone,

I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section, I get an error like in the other image. Can you help me resolve this issue?

emreorhan_0-1730557577741.pngemreorhan_1-1730557596600.png

 

Labels (1)
0 Karma
1 Solution

jawahir007
Communicator

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

0 Karma

emreorhan
Engager

@PickleRick , @jawahir007 

Thank you for your responses; my issue has been resolved.

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To elaborate on @jawahir007 's answer.

What you see "in settings" is forwarder monitoring. It only shows you what it can read from forwarder's internal logs sent to your Splunk server. It shows your forwarder so it means your output on the forwarder is set correctly to your Splunk server and the data if properly forwarded. I'm assuming so far no "production" data is being forwarded, just the internal forwarder's logs.

What you're trying to do - add an input from remote forwarder is something completely different which is done with a Deployment Server functionality. Typically in a big setup a Deployment Server is an additional server which "governs" configuration of its deployment clients (usually forwarders). In your case, as you have just one Splunk server, you must point your forwarder to your server as @jawahir007 showed. BTW, in production use you normally don't use the GUI to add remote inputs but that's a story for another time 😉

0 Karma

jawahir007
Communicator

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...