Getting Data In

Forwarder Configuration - Cloud Setup

mailmetoramu
Explorer

Hi,

Have installed universal forwardesr in my linux machines & configured as below :

Step 1: ./splunk add forward-server :

Step 2 : ./splunk set deploy-poll :

Step 3 : ./splunk add monitor /var/log ( Configured data inputs on the forwarder )

Step 4 : Re-started the splunk.

But after all these steps still its showing error like below

Error no 1 : ''Forwarder not configured'' please configure outputs.conf

Error no 2 : ''Forwarder not active''.

Please do let me know the correct configurations.

Thanks in advance ..!!

Tags (1)
0 Karma

gneumann_splunk
Splunk Employee
Splunk Employee

I don't see where you have added your cloud credentials.

Confirm you have followed these steps:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/User/ForwardDataToSplunkCloudFromLinux

0 Karma

mailmetoramu
Explorer

Hi Gnewmann,

Apart from the above steps you mentioned, before that please let me know whether after installing Forwarders do i need configure outputs.conf or inuts.conf apart from Deployemnt server.conf & forwarder.conf

Thanks,

Ramu.R

0 Karma

gneumann_splunk
Splunk Employee
Splunk Employee

For self-service deployments, if you follow the steps in http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/User/ForwardDataToSplunkCloudFromLinux using Splunk Web (the Splunk user interface), you should be successful in configuring your universal forwarder and making a connection to your Splunk Cloud instance. Be sure to follow closely Steps 3, 4, and 5, and you should only have to configure the deployment server as noted in the instructions.

After following these steps, you should see your forwarder, and you should be able to configure data inputs.

You should not have to configure the outputs.conf, inputs.conf or forwarder.conf separately from the instructions listed in the link above to make a connection to your forwarder. The configuration instructions for outputs.conf and inputs.conf are for a Splunk Enterprise instance, not Splunk Cloud. This might be confusing in the Forwarding Data guide.

Please let me know if you are successful. If you continue to have issues, or you have a managed Splunk Cloud deployment, I can put you in touch with someone else that might be able to further help troubleshoot this issue.

0 Karma

mailmetoramu
Explorer

Will try the mentioned steps & keep you posted.

Anywazz thanks you so much Gneumann...

0 Karma

p_gurav
Champion

Can you check ./splunk list forward-server? Is there any forwarder in active list? Also make sure all required ports are open between forwarder and deployment server.

0 Karma

mailmetoramu
Explorer

Hi Gaurav,

Yes already executed that command as well but getting the below error :

Active forwards: None

Configured but inactive forwards:

0 Karma

p_gurav
Champion

Is there any error in _internal? Also did you configure receiving on indexer with 9997?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...