I have installed splunk enterprise in a windows environment. I have installed Universal Forwarder on a separate machine. Before running the ./splunk add forward_server command (to add the indexer), I ran ipconfig from the windows box where splunk enterprise is. Using that IPv4 address (lets call it xxx.xx.xxx.xxx). I then successfully pinged that address from where I installed the forwarder (a linux machine). Then, using the default forwarder port (9997), I ran the command as:
./splunk add forward-server xxx.xx.xxx.xxx:9997
which ran successfully. I then restarted forwarder like:
and the forwarder successfully restarted. I verified that the outputs.config file in the splunk_home/etc/system/local had the correct settings:
defaultGroup = default-autolb-group
server = xxx.xx.xxx.xxx:9997
I then logged into the splunk enterprise web interface, and selected "Add Data" link, and then the "forward" link. At the top is says "Select Forwarders", but beneath that there is a red triangle that says "There are currently no forwarders configured as deployment clients to this instance".
Am I doing something wrong? If so, how do I diagnose and correct? Grateful for any response!
In Splunk Enterprise GUI, go to Settings->Forwarding and Receiving and click Configure Receiving. Verify your forwarder is listed there. If it isn't, click the New button to tell Splunk to listen on the right port.
There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching:
index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder
splunk set deploy-poll <IP_address/hostname>:<management_port> splunk restart
more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps
thanks for reply adonio. I have successfully set up my universal forwarder as a deployment client by following your directions.