Getting Data In

App deploys from the Deployment Server, but why is the deployment client not sending any data?

Explorer

So I am experiencing an oddity with Splunk and I am hoping it is just something I am overlooking.

I have an indexer that also acts as a deployment server (Linux) and I am using a test client (Windows). On the deployment server, I create two apps, Splunk_TA_windows and sendtoindexer. I created the inputs.conf in the local folder of the Splunk_TA_windows app:

[WinEventLog://Application]
disabled = 0
index = wineventlog

[WinEventLog://Security]
disabled = 0
index = wineventlog

[WinEventLog://System]
disabled = 0
index = wineventlog

And the outputs.conf in the local folder of the sendtoindexer app:

[tcpout]
disabled = false
defaultGroup = default-autolb-group

[tcpoutput:default-autolb-group]
server = hostname:9997

[tcpout-server://hostname:9997]

On Forwarder Management, I set the whitelists/blacklists so that the test machine is targeted to get both of these apps. When looking at the Server Class page, at the bottom under Clients, I see my test server and that under Deployed Apps I see 2, so that's good, but in the middle of that page under Apps, it shows both of my apps, and under the Clients column it shows 0 deployed for both.

Anyways, when checking the SplunkUniversalForwarder/etc/apps folder on the client machine I see both apps are deployed as expected. However, when I perform a search checking for either the hostname of the client or the index I set in the inputs.conf file, I do not get any results.

Any help would be appreciated. Let me know if anything I said didn't make sense or if more information would be useful.

1 Solution

Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

View solution in original post

Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

View solution in original post

Splunk Employee
Splunk Employee

make sure of the following
1- hostname is resolvable
2- 9997 ready on the receiving side (indexer OR HF or all in on)
3- make sure no firewall between the UF and the receiver (use telnet or nc to ensure that)
4- run /opt/splunk/bin/splunk btool outputs list --debug on HF
5- run /opt/splunk/bin/splunk btool inputs list --debug on receiver

make sure that step 4 and 5 give you what expected.

good luck

0 Karma

Explorer

Thanks for the reply! 1-3 are definitely okay, I just checked. When running the btool on the forwarder I see the output.conf info from the sendtoindexer app so that seems good. When I run the btool on the receiver I see a lot of different inputs.conf entries from a lot of different apps, but theya re all located in the /etc/apps/* folder, none from the /etc/deployment-apps/ folder.

Could that be the issue? Or should my apps appear in both /apps/ and /deployment-apps/ ?

0 Karma

Explorer

More info that may be pertinent...

On the client, the /etc/local has no outputs.conf and I am getting:

ERROR: TcpOutputProc  - LightWeightForwarder/UniversalForwarder no configured. Please configure outputs.conf.

... even though /etc/apps/sendtoindexer/local/outputs.conf exists.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!