Getting Data In

Files not indexed on new installation.

New Member

I've followed the documentation best i can to create an instance of splunk enterprise on one windows server
Then added port 9997 as a receiving datat port on this admin page "http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked"

Then on a different server I've installed a universal forwarder. then added c:\logs as a monitor folder using the CLI command .\splunk.exe add monitor c:\logs
The confirmation "Added monitor of 'c:\logs'." was displayed.

After doing all this the logs still don't appear in the splunk web interface! Is there a log i can look in to see if the files in the logs folder are getting sent or if there is an error? i'm not sure what i'm missing now.

all running on windows 2012 R2 64bit

cheers
Damo

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,

Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi,

Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.

cheers, MuS

View solution in original post

New Member

Thanks for the pointer, im looking into it now

i used the command line from powershell
cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVINGINDEXER='simdc01:9997' MONITORPATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"
to install the forwarder

Is there a CLI command for telling the forwarder where to send the data?

0 Karma

SplunkTrust
SplunkTrust

Looks good to me. Can you connect from the forwarder to the indexer port 9997 any firewall between or routing problems? What does splunkd.log on the indexer and the forwarder report?

0 Karma

New Member

Thanks for replying so quick. I've got the splunkd logs for both, what am i looking for exactly?

in the forwarder i can see:

TailingProcessor - Parsing configuration stanza: monitor://c:\logs.
...
TailingProcessor - Adding watch on path: c:\logs.

but i also see this
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
which i guess is what you are refering to in step 5.
Is there a CLI command for setting this up?
cheers
Damian

0 Karma

SplunkTrust
SplunkTrust

using the flag RECEIVING_INDEXER='simdc01:9997' should have taken care of the outputs.conf...
did you check any of the outputs.conf on your forwarder if the config is correct?

0 Karma

New Member

none of the forwarders outputs.conf files contain that
Ive added a file at C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf with the following :
[tcpout]
RECEIVING_INDEXER='simdc01:9997'

ive restarted the service but still getting the error
TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

0 Karma

SplunkTrust
SplunkTrust

oh .. no, that's not correct. The option RECEIVING_INDEXER is only used on the CLI. Use this instead in your outputs.conf:

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = simdc01:9997
autoLB = true

use it this way, because you can add another indexer very easy and have load balancing between them.

New Member

Brilliant, now getting the message

TcpOutputProc - Connected to idx=10.181.230.238:9997

And seeing a test log file in the splunk UI
Thanks
Only question left is how do i automate what i just did?
I think the only CLI command i need is the one to configure tcpout is this what you were refering to with the RECEIVING_INDEXER='simdc01:9997' comment earlier

0 Karma

SplunkTrust
SplunkTrust

Take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/DeployaWindowsdfviathecommandline you can find some examples in there. Feel free to accept this as answered - you will get some karma too 😉

0 Karma