Getting Data In

Cannot see host on the Splunk server

triptrops
Explorer

I need help on my Splunk server. I cannot see the host the splunk server.
here is what my setup went:

1) install full splunk on server1. Installed *nix app and verified that it is collecting data.

2) install full splunk on server2. Installed *nix app and verified that it is collecting data.

3) configure receiving on splunk server1 to port 9997.

4) Enabled forwarding on server2.

cd /opt/splunk/bin

./splunk start

./splunk enable app SplunkLightForwarder

./splunk restart

./splunk add forward-server :9997

./splunk restart

5) Opened splunk server1 web but did not see server2.

Please advise, I appreciate your help ,thank you.

Tags (1)
0 Karma

sdwilkerson
Contributor

Triptrops,

In your step above: "./splunk add forward-server :9997", what is the name/address of the receiving host (i.e. server1) that server2 should use? Note: That IP should go before the :9997.

When you run $SPLUNK_HOME/bin/splunk help add, you will see this example in the output:
./splunk add forward-server bologna:9997

In this case, the system bologna is the receiving host.

Set this correctly, and it will probably work.

Also, as a side note, if you are going to use the SplunkLightForwarder, you will probably be better off using the Splunk Universal Forwarder (a different installation package).

Sean

0 Karma

triptrops
Explorer

I enabled the Splunk Universal Forwarder but still the splunk server cannot see it. Am I missing some steps?

0 Karma

triptrops
Explorer

Thanks Sean for your immediate response. Actually it was a typographical error.

I did execute this line as:

./splunk add forward-server server1.domain.com:9997

I still cannot see the host.

By the way, what is the difference between the light and the universal forwarder.

Thanks

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...