Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot see the Universal forwarder From Splunk Enterprise

mmatin
Engager
Saturday

Hi,

I have setup 2 VMs in Virtual box, installed the Splunk Enterprise in Windows server 2022, and installed the universal forwarder in windows 10 VM.

I have enabled listening port 9997 in Splunk Enterprise.

While installing UF, I have skipped the deployment server config (let it empty), and entered the IP of Windows server machine in the receiving indexer window.

Then I checked the connection from UF machine to Splunk enterprise by this PS command:

Test-NetConnection -Computername xxx.xxx.x.xxx -port 9997     (Successful)

and from Splunk to Universal forwarder

Test-NetConnection -Computername xxx.xxx.x.xxx     (Successful)

So connection is up and running between the 2 devices.

But then in Splunk Enterprise, when I go to Settings > Forwarder Management, I cannot see the windows client.

Same issue in Settings > Add Data > Forward

"There are currently no forwarders configured as deployment clients to this instance"

=== > What am i doing wrong? Did i skip any configuration? Can someone help PLEASE?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mmatin
Engager
Saturday

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mmatin
Engager
Saturday

## Solution found:

- Issue was the windows defender firewall for outbound traffic in the windows 10 (UF machine). Added a new outbound rule for any traffic outgoing via splunkd.exe. And now I can see the device in Forwarder management. 🙂 🙂

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
Saturday

You skipped the DS configuration so your UF is _not_ managed by the DS.

You can still configure your UF manually and if you properly pointed it to the indexer, you should see the internal UF's logs in the _internal index but you can't manage the UF until you point it at DS

See https://docs.splunk.com/Documentation/Splunk/latest/Updating/Configuredeploymentclients

0 Karma
Reply
Solved! Jump to solution

mmatin
Engager
Saturday

So do I need another VM setup as the Deployment server? I saw 1 or 2 videos where they said since it's a simple lab setup and only one local forwarder, don't need deployment server config.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
Saturday

No. Your AIO (all-in-one) box which works as SH and indexer can also be a DS. (And it tries to be since you have the forwarder management section enabled in your gui).

0 Karma
Reply
Solved! Jump to solution

mmatin
Engager
Saturday

Tried fresh installation with config for DS as well, didnt work.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...