Splunk Dev

Data not readable on receiver

eholz1
Contributor

Hello All,

I have a question. It seems that I am unable to correctly configure a relationship from
a server which has the Universal Forwarder installed (and acts like it is forwarding data)
On the forwarder I have inputs set to a log file, and outputs set to the Splunk Enterprise Server.

I have attempted to (via the web interface and the cli) to configure a "receiver" to everyone's favorite port: 9997.
I have not configured any thing in "Data Inputs" or "Monitoring" on the Splunk Enterprise server.
I get NO data from the server with the Universal Forwarder installed.

If I delete the receiver port (9997) - go to the Add Data area, select Monitor - and then add port, ip, a generic one line sourcetype,
and an index - I get data in, but all unreadable slashes and zeros, etc.

So my question is - what am I missing here?

Thanks

eholz1

0 Karma
1 Solution

woodcock
Esteemed Legend

Your outputs.conf on the UF should only have this:

[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997

You also need an inputs.conf like this in your indexer:

[splunktcp://9997]

View solution in original post

0 Karma

woodcock
Esteemed Legend

Your outputs.conf on the UF should only have this:

[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997

You also need an inputs.conf like this in your indexer:

[splunktcp://9997]
0 Karma

eholz1
Contributor

Hello Mr. Woodcock,

I do still have questions. The universal forwarder seems to be OK. Will incorporate your changes. I may be going to the wrong place to get, or setup the data on the Indexer.

I assumed that part of the configuration on the indexer is: Go to settings, then "Receiving and Forwarding" and set the TCP port there for receiving. When I do this I do not get any data. If I delete this setting, and go to "Settings", Data Input, and monitor Local TCP/UDP,
I get data. If I go down to the :Forwarding and Receiving section in Data Input, I get no data using "get forwarded" data. I am guessing that is lower section in the dialog window is really for an indexer that is set up as a receiver or forwarder. Is this correct?

And - thanks for the post, it is very helpful

eholz1

0 Karma

eholz1
Contributor

One more note - followed your suggestions, and after restarting the Uni Forwarder and the splunk indexer.
with your suggestions, it actually works! I am in shock. Now for my field extractions!

Thanks Again,

eholz1

0 Karma

eholz1
Contributor

Will do:
These files are in /opt/splunkforwarder/etc/system/local

From the server with Universal Forwarder installed:
outputs.conf:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997, cacti_index:9996
[tcpout-server://10.48.11.69:9997]

inputs.conf - file is empty no entres only [default]
if I do a ./splunk list monitor it shows the file that I want to monitor

I have a file: deployement.conf:
[target-broker:deploymentServer]
targetUri = 10.48.11.66:9997

On the Splunk Enterprise Server:
configured from the web gui

I did take a look at the README dir - I will check my confg on the forwarder

Thanks,

Eholz

0 Karma

woodcock
Esteemed Legend

Show us the contents of each inputs.conf and outputs.conf file and which server has it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...