Getting Data In

Cannot See Universal Forwarder from Splunk Enterprise

tclotworthy
New Member

Hello,

I have installed splunk enterprise in a windows environment. I have installed Universal Forwarder on a separate machine. Before running the ./splunk add forward_server command (to add the indexer), I ran ipconfig from the windows box where splunk enterprise is. Using that IPv4 address (lets call it xxx.xx.xxx.xxx). I then successfully pinged that address from where I installed the forwarder (a linux machine). Then, using the default forwarder port (9997), I ran the command as:

./splunk add forward-server xxx.xx.xxx.xxx:9997

which ran successfully. I then restarted forwarder like:

./splunk restart

and the forwarder successfully restarted. I verified that the outputs.config file in the splunk_home/etc/system/local had the correct settings:

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xx.xxx.xxx:9997

[tcpout-server://xxx.xx.xxx.xxx:9997]

I then logged into the splunk enterprise web interface, and selected "Add Data" link, and then the "forward" link. At the top is says "Select Forwarders", but beneath that there is a red triangle that says "There are currently no forwarders configured as deployment clients to this instance".

Am I doing something wrong? If so, how do I diagnose and correct? Grateful for any response!

0 Karma
1 Solution

adonio
Ultra Champion

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

View solution in original post

adonio
Ultra Champion

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

tclotworthy
New Member

thanks for reply adonio. I have successfully set up my universal forwarder as a deployment client by following your directions.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In Splunk Enterprise GUI, go to Settings->Forwarding and Receiving and click Configure Receiving. Verify your forwarder is listed there. If it isn't, click the New button to tell Splunk to listen on the right port.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...