- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- After installing a forwarder on Windows to send da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After installing a forwarder on Windows to send data to a Splunk Cloud trial, why do I not see the forwarder in the Add Data page?
I'm new to Splunk and setting up Splunk Cloud trial verison.
Have installed a Splunk forwarder on Win 2008 R2 64X machine and followed all steps mentioned in- http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/ForwardDataToSplunkCloudFromWindows
I did all default setting as explained in Step 1 to 3. But cannot move to step-4.
I'm not able to see the forwarder in the Add Data page.
Error for logs says
10-26-2016 20:38:09.175 -0400 ERROR TcpOutputFd - Connection to host=xx.xxx.xxx.xxx:9997 failed
10-26-2016 20:38:17.075 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:21.688 -0400 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-26-2016 20:38:21.688 -0400 INFO HttpPubSubConnection - Could not obtain connection, will retry after=33.948 seconds.
10-26-2016 20:38:29.076 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:39.085 -0400 WARN TcpOutputFd - Connect to xx.xxx.xxx.xxx:9997 failed. No connection could be made because the target machine actively refused it.
What I'm doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Either the cloud server rule will now allow traffic from your forwarder, or the Windows box local firewall will not allow it out.
Try to telnet to your host.
telnet X.x.x.x 9997
I'm guessing somewhere in the cloud setup you must allow hosts to forward to the server. I've only ever used on-premise systems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also doubt so.
Can you please help- what all port should be open on my windows server where I've installed the universal forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would go to http://www.whatsmyip.org/ get your external IP. Then on the cloud side open from that IP TCP/UDP-->> INBOUND These ports. Or just open everything from your public IP.
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
Also on the windows firewall of the forwarder make sure that splunkd.exe can communicate outbound on those ports.
I also imagine you can get in touch with your splunk sales guy. If you have a trial, they might be willing to help you get setup on the chance that you might buy the product.
Lastly, if all else fails, download the Enterprise version for a 30 day trial, and install it on a VM in your environment.
Its useful to keep one of these enterprise splunk servers running internally to test stuff with anyway. I keep one on AWS in free tier, and have another running on a small vmware linux box.
-JD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information!
Will try them and let you know.
Preparing your Splunk Environment for OpenSSL3
Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
