Getting Data In

Cannot see host on the Splunk server

triptrops
Explorer

I need help on my Splunk server. I cannot see the host the splunk server.
here is what my setup went:

1) install full splunk on server1. Installed *nix app and verified that it is collecting data.

2) install full splunk on server2. Installed *nix app and verified that it is collecting data.

3) configure receiving on splunk server1 to port 9997.

4) Enabled forwarding on server2.

cd /opt/splunk/bin

./splunk start

./splunk enable app SplunkLightForwarder

./splunk restart

./splunk add forward-server :9997

./splunk restart

5) Opened splunk server1 web but did not see server2.

Please advise, I appreciate your help ,thank you.

Tags (1)
0 Karma

sdwilkerson
Contributor

Triptrops,

In your step above: "./splunk add forward-server :9997", what is the name/address of the receiving host (i.e. server1) that server2 should use? Note: That IP should go before the :9997.

When you run $SPLUNK_HOME/bin/splunk help add, you will see this example in the output:
./splunk add forward-server bologna:9997

In this case, the system bologna is the receiving host.

Set this correctly, and it will probably work.

Also, as a side note, if you are going to use the SplunkLightForwarder, you will probably be better off using the Splunk Universal Forwarder (a different installation package).

Sean

0 Karma

triptrops
Explorer

I enabled the Splunk Universal Forwarder but still the splunk server cannot see it. Am I missing some steps?

0 Karma

triptrops
Explorer

Thanks Sean for your immediate response. Actually it was a typographical error.

I did execute this line as:

./splunk add forward-server server1.domain.com:9997

I still cannot see the host.

By the way, what is the difference between the light and the universal forwarder.

Thanks

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...