Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

After installing the Universal Forwarder using MSI, I am not receiving any data. How to edit my configuration?

tmontney
Builder
‎10-10-2016 10:48 AM

I installed the Universal Forwarder using the MSI, specified server info, but didn't check any boxes for wineventlog and such. I can see the PC checking in on the Splunk server, but it's not receiving any data. This is my ...\etc\system\local\inputs.conf

[default]
host = PBDC-LT-16

[WinEventLog:System]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Security]
interval=60
index=wineventlog
disabled=0

[WinEventLog:Application]
interval=60
index=wineventlog
disabled=0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 01:24 PM

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

View solution in original post

Reply
Solved! Jump to solution
Solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 01:24 PM

Here's a similar situation on Answers that might help resolve your issue:
https://answers.splunk.com/answers/98072/not-receiving-data-from-windows-forwarder.html

In particular "Have you opened the port on your Splunk indexer to receive data from the forwarder? I would try doing a tcpdump/netstat to see if data is leaving the Windows box and/or being received on the Splunk Indexer."

Reply
Solved! Jump to solution

tmontney
Builder
‎10-10-2016 02:10 PM

If I configure Splunk server to get the data, it works. I'm feeling it's just wrong config rather than ports or firewalls. I'll take a look though.

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎10-10-2016 02:20 PM

My apology, it is working actually. I was basing it off the "Last Updated" section of the Search page. It was looking for the hostname rather than the hostname's FQDN (treating them as separate hosts).

Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 02:46 PM

Great to know it's working!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎10-10-2016 11:31 AM

Is your outputs.conf pointing to your indexer? Did you restart the Splunk web service after making these changes?

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎10-10-2016 11:47 AM

Yep, outputs.conf is fine. The inputs.conf file I'm referencing here is on the forwarder, not the server. Why would I restart the server?

0 Karma
Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 11:09 AM

Try checking your universal forwarder installation against these instructions:
http://docs.splunk.com/Documentation/SplunkLight/6.5.0/GettingStarted/GettingdataintoSplunkLightusin...

Reply
Solved! Jump to solution

tmontney
Builder
‎10-10-2016 11:41 AM

Very nice, I didn't realize this was an option. However, it's a bit light. The config files have far more options to configure, and I can't determine how to do that.

0 Karma
Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 11:51 AM

Try the Splunk Enterprise Getting Data In manual, which has more information:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/AboutWindowsdataandSplunk

0 Karma
Reply
Solved! Jump to solution

gneumann_splunk
Splunk Employee
Splunk Employee
‎10-10-2016 11:57 AM

More specific instructions for event log monitoring and universal forwarder config info using Windows:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/MonitorWindowseventlogdata

0 Karma
Reply
Solved! Jump to solution

tmontney
Builder
‎10-10-2016 12:09 PM

Again, I have followed that. I have changed /etc/system/local/inputs.conf to the config shown above, on the local forwarder. I restarted the Splunk Forwarder service, and did not see any change.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...