Getting Data In

After installing a forwarder on Windows to send data to a Splunk Cloud trial, why do I not see the forwarder in the Add Data page?

New Member

I'm new to Splunk and setting up Splunk Cloud trial verison.

Have installed a Splunk forwarder on Win 2008 R2 64X machine and followed all steps mentioned in- http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/ForwardDataToSplunkCloudFromWindows

I did all default setting as explained in Step 1 to 3. But cannot move to step-4.

I'm not able to see the forwarder in the Add Data page.

Error for logs says

10-26-2016 20:38:09.175 -0400 ERROR TcpOutputFd - Connection to host=xx.xxx.xxx.xxx:9997 failed
10-26-2016 20:38:17.075 -0400 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:21.688 -0400 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
10-26-2016 20:38:21.688 -0400 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=33.948 seconds.
10-26-2016 20:38:29.076 -0400 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-26-2016 20:38:39.085 -0400 WARN  TcpOutputFd - Connect to xx.xxx.xxx.xxx:9997 failed. No connection could be made because the target machine actively refused it.

What I'm doing wrong?

0 Karma

Builder

Either the cloud server rule will now allow traffic from your forwarder, or the Windows box local firewall will not allow it out.

Try to telnet to your host.
telnet X.x.x.x 9997

I'm guessing somewhere in the cloud setup you must allow hosts to forward to the server. I've only ever used on-premise systems.

0 Karma

New Member

I also doubt so.

Can you please help- what all port should be open on my windows server where I've installed the universal forwarder.

0 Karma

Builder

I would go to http://www.whatsmyip.org/ get your external IP. Then on the cloud side open from that IP TCP/UDP-->> INBOUND These ports. Or just open everything from your public IP.

9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).

Also on the windows firewall of the forwarder make sure that splunkd.exe can communicate outbound on those ports.

I also imagine you can get in touch with your splunk sales guy. If you have a trial, they might be willing to help you get setup on the chance that you might buy the product.

Lastly, if all else fails, download the Enterprise version for a 30 day trial, and install it on a VM in your environment.

Its useful to keep one of these enterprise splunk servers running internally to test stuff with anyway. I keep one on AWS in free tier, and have another running on a small vmware linux box.

-JD

0 Karma

New Member

Thanks for the information!

Will try them and let you know.

0 Karma