- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Files not indexed on new installation.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've followed the documentation best i can to create an instance of splunk enterprise on one windows server
Then added port 9997 as a receiving datat port on this admin page "http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked"
Then on a different server I've installed a universal forwarder. then added c:\logs as a monitor folder using the CLI command .\splunk.exe add monitor c:\logs
The confirmation "Added monitor of 'c:\logs'." was displayed.
After doing all this the logs still don't appear in the splunk web interface! Is there a log i can look in to see if the files in the logs folder are getting sent or if there is an error? i'm not sure what i'm missing now.
all running on windows 2012 R2 64bit
cheers
Damo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the pointer, im looking into it now
i used the command line from powershell
cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER='simdc01:9997' MONITOR_PATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"
to install the forwarder
Is there a CLI command for telling the forwarder where to send the data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks good to me. Can you connect from the forwarder to the indexer port 9997 any firewall between or routing problems? What does splunkd.log on the indexer and the forwarder report?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for replying so quick. I've got the splunkd logs for both, what am i looking for exactly?
in the forwarder i can see:
TailingProcessor - Parsing configuration stanza: monitor://c:\logs.
...
TailingProcessor - Adding watch on path: c:\logs.
but i also see this
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
which i guess is what you are refering to in step 5.
Is there a CLI command for setting this up?
cheers
Damian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using the flag RECEIVING_INDEXER='simdc01:9997' should have taken care of the outputs.conf...
did you check any of the outputs.conf on your forwarder if the config is correct?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
none of the forwarders outputs.conf files contain that
Ive added a file at C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf with the following :
[tcpout]
RECEIVING_INDEXER='simdc01:9997'
ive restarted the service but still getting the error
TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh .. no, that's not correct. The option RECEIVING_INDEXER is only used on the CLI. Use this instead in your outputs.conf:
[tcpout]
defaultGroup = indexers
[tcpout:indexers]
server = simdc01:9997
autoLB = true
use it this way, because you can add another indexer very easy and have load balancing between them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant, now getting the message
TcpOutputProc - Connected to idx=10.181.230.238:9997
And seeing a test log file in the splunk UI
Thanks
Only question left is how do i automate what i just did?
I think the only CLI command i need is the one to configure tcpout is this what you were refering to with the RECEIVING_INDEXER='simdc01:9997' comment earlier
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/DeployaWindowsdfviathecommandline you can find some examples in there. Feel free to accept this as answered - you will get some karma too 😉
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
