Getting Data In

Can't manage the data that is getting forwarded to my Splunk Instance

ckunath
Communicator

Hello,

a forwarder has been set up to send data to my linux machine and I get the data, everything is fine so far.
The problem is, that the person who set up the forwarder did not specify the right source type, and for some reason I can't find the data input under "Data inputs" to edit it.
If I want to go to Add Data > Forward it tells me that "There are currently no forwarders configured as deployment clients to this instance."

Can anyone tell me how I can set up my splunk enterprise instance so that I can manage the inputs from the forwarder on my end?

Thanks in advance!

0 Karma
1 Solution

brreeves_splunk
Splunk Employee
Splunk Employee

@ckunath,

You'll need to find out what the inputs.conf file looks like on the actual forwarder so that you know what to put into the deployment app you'll create. Here's the basics: http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Aboutdeploymentserver

You'll tell the forwarder to look to the main instance using this splunk set deploy-poll command.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Configuredeploymentclients

Next, you'll create a deployment app that has an inputs.conf that you want the forwarder to follow.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Createdeploymentapps

And finally, you'll assign the app you created with the inputs.conf to the server class you created that includes the forwarder you mentioned.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Definedeploymentclasses

View solution in original post

brreeves_splunk
Splunk Employee
Splunk Employee

@ckunath,

You'll need to find out what the inputs.conf file looks like on the actual forwarder so that you know what to put into the deployment app you'll create. Here's the basics: http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Aboutdeploymentserver

You'll tell the forwarder to look to the main instance using this splunk set deploy-poll command.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Configuredeploymentclients

Next, you'll create a deployment app that has an inputs.conf that you want the forwarder to follow.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Createdeploymentapps

And finally, you'll assign the app you created with the inputs.conf to the server class you created that includes the forwarder you mentioned.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Definedeploymentclasses

dineshraj9
Builder

You have to check the forwarder and find the inputs.conf file on the forwarder and modify it.
You can get the installation path by checking the directory of the forwarders internal log.

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

While they will need to find the inputs.conf on the forwarder, the question was "How do I manage it remotely?".

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...