Getting Data In

After installing a forwarder on Windows to send data to a Splunk Cloud trial, why do I not see the forwarder in the Add Data page?

adminimv
New Member

I'm new to Splunk and setting up Splunk Cloud trial verison.

Have installed a Splunk forwarder on Win 2008 R2 64X machine and followed all steps mentioned in- http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/ForwardDataToSplunkCloudFromWindows

I did all default setting as explained in Step 1 to 3. But cannot move to step-4.

I'm not able to see the forwarder in the Add Data page.

Error for logs says

10-26-2016 20:38:09.175 -0400 ERROR TcpOutputFd - Connection to host=xx.xxx.xxx.xxx:9997 failed
10-26-2016 20:38:17.075 -0400 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:21.688 -0400 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
10-26-2016 20:38:21.688 -0400 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=33.948 seconds.
10-26-2016 20:38:29.076 -0400 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:39.085 -0400 WARN  TcpOutputFd - Connect to xx.xxx.xxx.xxx:9997 failed. No connection could be made because the target machine actively refused it.

What I'm doing wrong?

0 Karma

JDukeSplunk
Builder

Either the cloud server rule will now allow traffic from your forwarder, or the Windows box local firewall will not allow it out.

Try to telnet to your host.
telnet X.x.x.x 9997

I'm guessing somewhere in the cloud setup you must allow hosts to forward to the server. I've only ever used on-premise systems.

0 Karma

adminimv
New Member

I also doubt so.

Can you please help- what all port should be open on my windows server where I've installed the universal forwarder.

0 Karma

JDukeSplunk
Builder

I would go to http://www.whatsmyip.org/ get your external IP. Then on the cloud side open from that IP TCP/UDP-->> INBOUND These ports. Or just open everything from your public IP.

9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

Also on the windows firewall of the forwarder make sure that splunkd.exe can communicate outbound on those ports.

I also imagine you can get in touch with your splunk sales guy. If you have a trial, they might be willing to help you get setup on the chance that you might buy the product.

Lastly, if all else fails, download the Enterprise version for a 30 day trial, and install it on a VM in your environment.

Its useful to keep one of these enterprise splunk servers running internally to test stuff with anyway. I keep one on AWS in free tier, and have another running on a small vmware linux box.

-JD

0 Karma

adminimv
New Member

Thanks for the information!

Will try them and let you know.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...