Solved: Cannot See Universal Forwarder from Splunk Enterpr...

tclotworthy · ‎03-31-2017

Hello,

I have installed splunk enterprise in a windows environment. I have installed Universal Forwarder on a separate machine. Before running the ./splunk add forward_server command (to add the indexer), I ran ipconfig from the windows box where splunk enterprise is. Using that IPv4 address (lets call it xxx.xx.xxx.xxx). I then successfully pinged that address from where I installed the forwarder (a linux machine). Then, using the default forwarder port (9997), I ran the command as:

./splunk add forward-server xxx.xx.xxx.xxx:9997

which ran successfully. I then restarted forwarder like:

./splunk restart

and the forwarder successfully restarted. I verified that the outputs.config file in the splunk_home/etc/system/local had the correct settings:

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xx.xxx.xxx:9997

[tcpout-server://xxx.xx.xxx.xxx:9997]

I then logged into the splunk enterprise web interface, and selected "Add Data" link, and then the "forward" link. At the top is says "Select Forwarders", but beneath that there is a red triangle that says "There are currently no forwarders configured as deployment clients to this instance".

Am I doing something wrong? If so, how do I diagnose and correct? Grateful for any response!

adonio · ‎03-31-2017

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

View solution in original post

adonio · ‎03-31-2017

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

tclotworthy · ‎04-03-2017

thanks for reply adonio. I have successfully set up my universal forwarder as a deployment client by following your directions.

richgalloway · ‎03-31-2017

In Splunk Enterprise GUI, go to Settings->Forwarding and Receiving and click Configure Receiving. Verify your forwarder is listed there. If it isn't, click the New button to tell Splunk to listen on the right port.

---
If this reply helps you, Karma would be appreciated.

Cannot See Universal Forwarder from Splunk Enterprise

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!