Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk forwarder not detected

emreorhan
Engager
‎11-02-2024 07:28 AM

Hello everyone,

I have set up my Splunk server and Splunk forwarder. When I explore the settings, I can see one host as shown in the image. However, when I try to add data from the Add Data section, I get an error like in the other image. Can you help me resolve this issue?

emreorhan_0-1730557577741.pngemreorhan_1-1730557596600.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jawahir007
Communicator
‎11-02-2024 07:43 AM

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

emreorhan
Engager
‎11-03-2024 03:55 AM

@PickleRick , @jawahir007 

Thank you for your responses; my issue has been resolved.

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-02-2024 03:09 PM

To elaborate on @jawahir007 's answer.

What you see "in settings" is forwarder monitoring. It only shows you what it can read from forwarder's internal logs sent to your Splunk server. It shows your forwarder so it means your output on the forwarder is set correctly to your Splunk server and the data if properly forwarded. I'm assuming so far no "production" data is being forwarded, just the internal forwarder's logs.

What you're trying to do - add an input from remote forwarder is something completely different which is done with a Deployment Server functionality. Typically in a big setup a Deployment Server is an additional server which "governs" configuration of its deployment clients (usually forwarders). In your case, as you have just one Splunk server, you must point your forwarder to your server as @jawahir007 showed. BTW, in production use you normally don't use the GUI to add remote inputs but that's a story for another time 😉

0 Karma
Reply
Solved! Jump to solution
Solution

jawahir007
Communicator
‎11-02-2024 07:43 AM

As the error message says in your screenshot, Configure the universal forwarder as a Deployment Client to your Splunk server.

 

1. Enable Deployment Client on the Universal Forwarder

First, log in to the server where the Universal Forwarder is installed.

2. Create a Deployment Client Configuration

Edit or create the deploymentclient.conf file in the following path:

$SPLUNK_HOME/etc/system/local/deploymentclient.conf

Add the following configuration:

[deployment-client]
# Enable the deployment client
disabled = false

[target-broker:deploymentServer]
# Specify the IP address or hostname and port of the Deployment Server
targetUri = <deployment_server_ip>:<deployment_server_port>
  • <deployment_server_ip>: IP address or hostname of the Splunk Deployment Server.
  • <deployment_server_port>: The port configured for the Deployment Server (default is 8089).

For example:

[deployment-client]
disabled = false

[target-broker:deploymentServer]
targetUri = 192.168.1.100:8089

3. Restart the Splunk Universal Forwarder

To apply the changes, restart the Splunk Universal Forwarder:

$SPLUNK_HOME/bin/splunk restart

4. Verify the Deployment Client Connection on the Deployment Server

On the Splunk Deployment Server, go to:

  1. Settings > Forwarder Management.
  2. Under Clients, you should see the new Universal Forwarder listed as a deployment client.

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
0 Karma
Reply
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...
Top