Deployment Architecture

Unable to see the forwarded data in the splunk receiver when forwarding the data using the windows universal forwarder

Engager

I am trying to use windows universal forwarder to forward data which is coming in my localhost 9998 port . A java program is writing data to my localhost 9998 port, this data i want my universal forwarder to listen to and forward it to a splunk receiver's 9997 port.

For this config files on universal forwarder side:-

inputs.conf content-
[tcp://:9998]
connection_host=ip

outputs.conf content-
[tcpout]
disabled= false
defaultGroup = default-autolb-group
useACK=true

[tcpout:default-autolb-group]
disabled= false
server = 10.74.163.105:9997

[tcpout-server://10.74.163.105:9997]
disabled= false

And the content of inputs.conf file in the splunk receiver is:-

inputs.conf content-

[default]
host = IN-AIR-BIMAP110

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[splunktcp://9997]
disabled = 0
index= test_tcp2
queue= indexQueue
sourcetype=csv

Setting all these configs when i search the data no data is shown by the splunk receiver.
Need help whether the config file settings are fine.

0 Karma

Engager

Hello C_Sparn. May be my forwarding is establishing connection wt the receiver but the thing is to be able to see any result the forwarder should be forwarding some data. I guess in my case the forwarding is forwarding no events. As i said earlier the java program is not able to write anything on 9998 port .So the forwarder has nothing to forward.If u can help me with how to make the java program write at the same port when my forwarder is listening. Waiting for ur reply. Nice to chat wt you.

0 Karma

Engager

Hi C_Sparn.i ran the command netstat.Output it is giving is as follows:- TCP 10.76.17.213:65500(local adress 10.74.163.105:9997(foreign address) ESTABLISHED. Does this mean the forwarder is sending data to my receiver?

0 Karma

Communicator

Hello,

yes that means that the connection between the forwarder and reciever is established! You can also test if data is send to the reciever if you check your tcp connections with netstat comand after running your java program. Do you still not see any input when you search for anything in the web frontend?
Besides you can set the sourcetype in the forwarder input.

0 Karma

Engager

hi CSparn.I searched in the main index nothing there.The root cause which is my guess is that is when i point my universal forwarder to listen to 9998 port on my localhost the java program which tries to write data to my localhost 9998 port is unable to write data throwing this exception(Exception while opening the Port Address already in use: JVMBind). That means the java program should be able to write on 9998 at the same time the splunk universal forwarder should be able to listen to that data.Do u have any idea on this?

0 Karma

Engager

Hi C_Sparn,
I am getting this output:-Active Forwards: 10.74.163.105:9997 Configured but Inactive forwards:None.Does this indicate that the forwarder is forwarding?

0 Karma

Path Finder

How did you search for the data? Looking at your configs, the data is most likely ended up in index=main.

The index=test_tcp2 under splunktcp stanza won't override the index specified in your forwarder.

Engager

hi kheli.I searched in the main index nothing there.The root cause which is my guess is that is when i point my universal forwarder to listen to 9998 port on my localhost the java program which tries to write data to my localhost 9998 port is unable to write data throwing this exception(Exception while opening the Port Address already in use: JVM_Bind). That means the java program should be able to write on 9998 at the same time the splunk universal forwarder should be able to listen to that data.Do u have any idea on this?

0 Karma

Communicator

Hello,

try to set your inputs.conf of the forwarder with [tcp://localhost:9998] and disabled= false under connection_host.
Then test the connection between the forwarder and the reciever with this line in cmd of windows:

path-to-splunk-folder\bin\splunk list forward-server

If the connection is established this line shows the connected recievers.
Greetings

0 Karma