Deployment Architecture

Unable to see the forwarded data in the splunk receiver when forwarding the data using the windows universal forwarder

rahsaha
Engager

I am trying to use windows universal forwarder to forward data which is coming in my localhost 9998 port . A java program is writing data to my localhost 9998 port, this data i want my universal forwarder to listen to and forward it to a splunk receiver's 9997 port.

For this config files on universal forwarder side:-

inputs.conf content-
[tcp://:9998]
connection_host=ip

outputs.conf content-
[tcpout]
disabled= false
defaultGroup = default-autolb-group
useACK=true

[tcpout:default-autolb-group]
disabled= false
server = 10.74.163.105:9997

[tcpout-server://10.74.163.105:9997]
disabled= false

And the content of inputs.conf file in the splunk receiver is:-

inputs.conf content-

[default]
host = IN-AIR-BIMAP110

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[splunktcp://9997]
disabled = 0
index= test_tcp2
queue= indexQueue
sourcetype=csv

Setting all these configs when i search the data no data is shown by the splunk receiver.
Need help whether the config file settings are fine.

0 Karma

rahsaha
Engager

Hello C_Sparn. May be my forwarding is establishing connection wt the receiver but the thing is to be able to see any result the forwarder should be forwarding some data. I guess in my case the forwarding is forwarding no events. As i said earlier the java program is not able to write anything on 9998 port .So the forwarder has nothing to forward.If u can help me with how to make the java program write at the same port when my forwarder is listening. Waiting for ur reply. Nice to chat wt you.

0 Karma

rahsaha
Engager

Hi C_Sparn.i ran the command netstat.Output it is giving is as follows:- TCP 10.76.17.213:65500(local adress 10.74.163.105:9997(foreign address) ESTABLISHED. Does this mean the forwarder is sending data to my receiver?

0 Karma

C_Sparn
Communicator

Hello,

yes that means that the connection between the forwarder and reciever is established! You can also test if data is send to the reciever if you check your tcp connections with netstat comand after running your java program. Do you still not see any input when you search for anything in the web frontend?
Besides you can set the sourcetype in the forwarder input.

0 Karma

rahsaha
Engager

hi C_Sparn.I searched in the main index nothing there.The root cause which is my guess is that is when i point my universal forwarder to listen to 9998 port on my localhost the java program which tries to write data to my localhost 9998 port is unable to write data throwing this exception(Exception while opening the Port Address already in use: JVM_Bind). That means the java program should be able to write on 9998 at the same time the splunk universal forwarder should be able to listen to that data.Do u have any idea on this?

0 Karma

rahsaha
Engager

Hi C_Sparn,
I am getting this output:-Active Forwards: 10.74.163.105:9997 Configured but Inactive forwards:None.Does this indicate that the forwarder is forwarding?

0 Karma

kheli
Path Finder

How did you search for the data? Looking at your configs, the data is most likely ended up in index=main.

The index=test_tcp2 under splunktcp stanza won't override the index specified in your forwarder.

rahsaha
Engager

hi kheli.I searched in the main index nothing there.The root cause which is my guess is that is when i point my universal forwarder to listen to 9998 port on my localhost the java program which tries to write data to my localhost 9998 port is unable to write data throwing this exception(Exception while opening the Port Address already in use: JVM_Bind). That means the java program should be able to write on 9998 at the same time the splunk universal forwarder should be able to listen to that data.Do u have any idea on this?

0 Karma

C_Sparn
Communicator

Hello,

try to set your inputs.conf of the forwarder with [tcp://localhost:9998] and disabled= false under connection_host.
Then test the connection between the forwarder and the reciever with this line in cmd of windows:

path-to-splunk-folder\bin\splunk list forward-server

If the connection is established this line shows the connected recievers.
Greetings

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...