I'm new to Splunk and setting up Splunk Cloud trial verison.
Have installed a Splunk forwarder on Win 2008 R2 64X machine and followed all steps mentioned in- http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/ForwardDataToSplunkCloudFromWindows
I did all default setting as explained in Step 1 to 3. But cannot move to step-4.
I'm not able to see the forwarder in the Add Data page.
Error for logs says
10-26-2016 20:38:09.175 -0400 ERROR TcpOutputFd - Connection to host=xx.xxx.xxx.xxx:9997 failed 10-26-2016 20:38:17.075 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 10-26-2016 20:38:21.688 -0400 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr: 10-26-2016 20:38:21.688 -0400 INFO HttpPubSubConnection - Could not obtain connection, will retry after=33.948 seconds. 10-26-2016 20:38:29.076 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected 10-26-2016 20:38:39.085 -0400 WARN TcpOutputFd - Connect to xx.xxx.xxx.xxx:9997 failed. No connection could be made because the target machine actively refused it.
What I'm doing wrong?
Either the cloud server rule will now allow traffic from your forwarder, or the Windows box local firewall will not allow it out.
Try to telnet to your host.
telnet X.x.x.x 9997
I'm guessing somewhere in the cloud setup you must allow hosts to forward to the server. I've only ever used on-premise systems.
I would go to http://www.whatsmyip.org/ get your external IP. Then on the cloud side open from that IP TCP/UDP-->> INBOUND These ports. Or just open everything from your public IP.
9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
Also on the windows firewall of the forwarder make sure that splunkd.exe can communicate outbound on those ports.
I also imagine you can get in touch with your splunk sales guy. If you have a trial, they might be willing to help you get setup on the chance that you might buy the product.
Lastly, if all else fails, download the Enterprise version for a 30 day trial, and install it on a VM in your environment.
Its useful to keep one of these enterprise splunk servers running internally to test stuff with anyway. I keep one on AWS in free tier, and have another running on a small vmware linux box.