I'm installing a universal forwarder on my Linux and Windows machines. After that, I'm starting to get the data with
splunk add monitor /path/to/logfile.log and I see all of my data under the Search and Reporting app (data summary as well):
I want to use the "splunk add data section" to add my data but i can not see my forwarders in add data section. And i'm getting this error:
Actually I have 3 or 4 forwarders installed, but I cannot see them. How canI fix it?
not: to see windows event log in splunk we have to use that section.
I had the same problem until I registered the forwarders with the Splunk Enterprise instance (ostensibly for configuration control). Though this step is described as an optional convenience (without explicitly saying so), it turns out to be absolutely necessary: without it, the Splunk Enterprise instance won't see the forwarders even though it's listening for them!
On the receiver, enable listening using:
# /opt/splunk/bin/splunk enable listen <port> -auth <splunkusername>:<password>
On each forwarder, designate the receiver using:
# splunk add forward-server <hostname or ip_address>:<listening port> [-auth <splunkusername>:<password>]
On the receiver, register the forwarders:
# splunk set deploy-poll <hostname or ip_address>:<management port>
By "manged cloud", I'm assuming your referring to Splunk Cloud SaaS?
Your hosts where the forwarders are installed aren't managed by Splunk so it should be a Splunk Cloud issue. Go ahead and start a new question and I'd be glad to walk you through it
Same problem here. I would like to see this get solved. I went through the instructions twice. Restarted both the forwarder and the server that the forwarder is installed on and nothing works. The forwarder does not come up under my instance. I tried using another web browser too.
I did try to telnet input-prd-p-zhfqvtr4lbbt.cloud.splunk.com:9997 (the server in my output.conf file) and was not able to connect. This tells me that the cloud server is not functional?
When will the solution be working again? Is there an ETA? I would like to get this rolled out for all of our SaaS clients, but not possible at the moment.
Thanks,Same problem here. You install the forwarder, add your universal forwarder credentials, restart, and it does not show up in the instance. Restart again, restart the server that the forwarder is installed on. Then log on and off the instance. Use another web browser to access the instance. Nothing works.
So I ran a telnet to input-prd-p-zhfqvtr4lbbt.cloud.splunk.com:9997 (which is the server in my output.conf file) and was not able to access. I do not think their cloud offering is working at this time.
I would love to buy this solution, but first I have to demo it to my manager. Love to get it working.
Is there an ETA for when the cloud solution will be working again?
You should open a support case and generate a diag file (This will be the first thing support will ask for)
In the mean time, post your
SPLUNK_HOME/etc/system/local and I'll take a look
If you haven’t resolved the issues with seeing your installed forwarders, try the following links and confirm you have performed the steps listed for setting up the universal forwarder with Windows and Linux for Splunk Cloud instances. The instructions are slightly different.
Go to the server and go under
/opt/splunkforwarder/etc/system/local and edit the
inputs.conf.. It should look something like this
[default] host = HOSTNAME [monitor:///opt/xxx/xxx/logs/server.log disabled = false sourcetype = server index=YOUR_INDEX_NAME
Also, is your
outputs.conf pointing to the indexer?
It's not possible. I do not have any firewall rule. There is that line in my splunkd.log:
11-28-2016 21:35:01.773 +0000 INFO TcpOutputProc - Connected to idx=MY_SPLUNK_CLOUD_INSTANCE_IP:9997
and as i said before i can see my data in splunk cloud but i can not add from add data section. i need to add from there.
I had added in my self service cloud deployment but now i'm using a managed cloud deployment. Could it be related to it?