Getting Data In

App deploys from the Deployment Server, but why is the deployment client not sending any data?

Explorer

So I am experiencing an oddity with Splunk and I am hoping it is just something I am overlooking.

I have an indexer that also acts as a deployment server (Linux) and I am using a test client (Windows). On the deployment server, I create two apps, SplunkTAwindows and sendtoindexer. I created the inputs.conf in the local folder of the SplunkTAwindows app:

[WinEventLog://Application]
disabled = 0
index = wineventlog

[WinEventLog://Security]
disabled = 0
index = wineventlog

[WinEventLog://System]
disabled = 0
index = wineventlog

And the outputs.conf in the local folder of the sendtoindexer app:

[tcpout]
disabled = false
defaultGroup = default-autolb-group

[tcpoutput:default-autolb-group]
server = hostname:9997

[tcpout-server://hostname:9997]

On Forwarder Management, I set the whitelists/blacklists so that the test machine is targeted to get both of these apps. When looking at the Server Class page, at the bottom under Clients, I see my test server and that under Deployed Apps I see 2, so that's good, but in the middle of that page under Apps, it shows both of my apps, and under the Clients column it shows 0 deployed for both.

Anyways, when checking the SplunkUniversalForwarder/etc/apps folder on the client machine I see both apps are deployed as expected. However, when I perform a search checking for either the hostname of the client or the index I set in the inputs.conf file, I do not get any results.

Any help would be appreciated. Let me know if anything I said didn't make sense or if more information would be useful.

1 Solution

Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

View solution in original post

Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

View solution in original post

Splunk Employee
Splunk Employee

make sure of the following
1- hostname is resolvable
2- 9997 ready on the receiving side (indexer OR HF or all in on)
3- make sure no firewall between the UF and the receiver (use telnet or nc to ensure that)
4- run /opt/splunk/bin/splunk btool outputs list --debug on HF
5- run /opt/splunk/bin/splunk btool inputs list --debug on receiver

make sure that step 4 and 5 give you what expected.

good luck

0 Karma

Explorer

Thanks for the reply! 1-3 are definitely okay, I just checked. When running the btool on the forwarder I see the output.conf info from the sendtoindexer app so that seems good. When I run the btool on the receiver I see a lot of different inputs.conf entries from a lot of different apps, but theya re all located in the /etc/apps/* folder, none from the /etc/deployment-apps/ folder.

Could that be the issue? Or should my apps appear in both /apps/ and /deployment-apps/ ?

0 Karma

Explorer

More info that may be pertinent...

On the client, the /etc/local has no outputs.conf and I am getting:

ERROR: TcpOutputProc  - LightWeightForwarder/UniversalForwarder no configured. Please configure outputs.conf.

... even though /etc/apps/sendtoindexer/local/outputs.conf exists.

0 Karma