Getting Data In

Cannot See Universal Forwarder from Splunk Enterprise

tclotworthy
New Member

Hello,

I have installed splunk enterprise in a windows environment. I have installed Universal Forwarder on a separate machine. Before running the ./splunk add forward_server command (to add the indexer), I ran ipconfig from the windows box where splunk enterprise is. Using that IPv4 address (lets call it xxx.xx.xxx.xxx). I then successfully pinged that address from where I installed the forwarder (a linux machine). Then, using the default forwarder port (9997), I ran the command as:

./splunk add forward-server xxx.xx.xxx.xxx:9997

which ran successfully. I then restarted forwarder like:

./splunk restart

and the forwarder successfully restarted. I verified that the outputs.config file in the splunk_home/etc/system/local had the correct settings:

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xx.xxx.xxx:9997

[tcpout-server://xxx.xx.xxx.xxx:9997]

I then logged into the splunk enterprise web interface, and selected "Add Data" link, and then the "forward" link. At the top is says "Select Forwarders", but beneath that there is a red triangle that says "There are currently no forwarders configured as deployment clients to this instance".

Am I doing something wrong? If so, how do I diagnose and correct? Grateful for any response!

0 Karma
1 Solution

adonio
Ultra Champion

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

View solution in original post

adonio
Ultra Champion

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

tclotworthy
New Member

thanks for reply adonio. I have successfully set up my universal forwarder as a deployment client by following your directions.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In Splunk Enterprise GUI, go to Settings->Forwarding and Receiving and click Configure Receiving. Verify your forwarder is listed there. If it isn't, click the New button to tell Splunk to listen on the right port.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...