After installing universal forwarders, why am I ge...

sayz · ‎11-28-2016

Hi all;

I'm installing a universal forwarder on my Linux and Windows machines. After that, I'm starting to get the data with splunk add monitor /path/to/logfile.log and I see all of my data under the Search and Reporting app (data summary as well):

I want to use the "splunk add data section" to add my data but i can not see my forwarders in add data section. And i'm getting this error:

Actually I have 3 or 4 forwarders installed, but I cannot see them. How canI fix it?

not: to see windows event log in splunk we have to use that section.

DUThibault · ‎04-21-2017

I had the same problem until I registered the forwarders with the Splunk Enterprise instance (ostensibly for configuration control). Though this step is described as an optional convenience (without explicitly saying so), it turns out to be absolutely necessary: without it, the Splunk Enterprise instance won't see the forwarders even though it's listening for them!

On the receiver, enable listening using:

# /opt/splunk/bin/splunk enable listen <port> -auth <splunkusername>:<password>

On each forwarder, designate the receiver using:

# splunk add forward-server <hostname or ip_address>:<listening port> [-auth <splunkusername>:<password>]

On the receiver, register the forwarders:

# splunk set deploy-poll <hostname or ip_address>:<management port>

ptur · ‎04-21-2017

Have you been able to resolve this?

I'm experiencing exactly the same behavior - (we are new to splunk) - is this "expected" by any chance, in "managed cloud" deployment?

skoelpin · ‎04-21-2017

By "manged cloud", I'm assuming your referring to Splunk Cloud SaaS?

Your hosts where the forwarders are installed aren't managed by Splunk so it should be a Splunk Cloud issue. Go ahead and start a new question and I'd be glad to walk you through it

mpiercemi9retai · ‎12-29-2016

Same problem here. I would like to see this get solved. I went through the instructions twice. Restarted both the forwarder and the server that the forwarder is installed on and nothing works. The forwarder does not come up under my instance. I tried using another web browser too.

I did try to telnet input-prd-p-zhfqvtr4lbbt.cloud.splunk.com:9997 (the server in my output.conf file) and was not able to connect. This tells me that the cloud server is not functional?

When will the solution be working again? Is there an ETA? I would like to get this rolled out for all of our SaaS clients, but not possible at the moment.

Thanks,Same problem here. You install the forwarder, add your universal forwarder credentials, restart, and it does not show up in the instance. Restart again, restart the server that the forwarder is installed on. Then log on and off the instance. Use another web browser to access the instance. Nothing works.

So I ran a telnet to input-prd-p-zhfqvtr4lbbt.cloud.splunk.com:9997 (which is the server in my output.conf file) and was not able to access. I do not think their cloud offering is working at this time.

I would love to buy this solution, but first I have to demo it to my manager. Love to get it working.

Is there an ETA for when the cloud solution will be working again?

skoelpin · ‎12-29-2016

You should open a support case and generate a diag file (This will be the first thing support will ask for)

http://docs.splunk.com/Documentation/Splunk/6.5.1/Troubleshooting/Generateadiag

In the mean time, post your inputs.conf and outputs.conf from SPLUNK_HOME/etc/system/local and I'll take a look

gneumann_splunk · ‎11-30-2016

If you haven’t resolved the issues with seeing your installed forwarders, try the following links and confirm you have performed the steps listed for setting up the universal forwarder with Windows and Linux for Splunk Cloud instances. The instructions are slightly different.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/User/ForwardDataToSplunkCloudFromWindows
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1/User/ForwardDataToSplunkCloudFromLinux

sayz · ‎12-01-2016

nope,
I did all of them correctly.

skoelpin · ‎11-28-2016

DO you have access to the servers where the forwarders are installed? Did you restart the Splunk service after making changes to the forwarder configurations?

sayz · ‎11-28-2016

i have access to the servers and I have restarted a lot of times. But the result did not change.

skoelpin · ‎11-28-2016

Go to the server and go under /opt/splunkforwarder/etc/system/local and edit the inputs.conf.. It should look something like this

[default]
host = HOSTNAME

[monitor:///opt/xxx/xxx/logs/server.log
disabled = false
sourcetype = server 
index=YOUR_INDEX_NAME

Also, is your outputs.conf pointing to the indexer?

sayz · ‎11-28-2016

unfortunately it did not work.

and yes i have configured my outputs.conf as well but the result is same.

skoelpin · ‎11-28-2016

Are you being blocked by a firewall? You could always check splunkd.log for errors

This is located at /opt/splunkforwarder/var/log/splunk/splunkd.log

sayz · ‎11-28-2016

It's not possible. I do not have any firewall rule. There is that line in my splunkd.log:

11-28-2016 21:35:01.773 +0000 INFO  TcpOutputProc - Connected to idx=MY_SPLUNK_CLOUD_INSTANCE_IP:9997

and as i said before i can see my data in splunk cloud but i can not add from add data section. i need to add from there.

I had added in my self service cloud deployment but now i'm using a managed cloud deployment. Could it be related to it?

After installing universal forwarders, why am I getting error "you currently don't have any forwarders installed" for Add Data in Splunk Web?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?