Getting Data In

Forwarder - Please Clarify Usage

dejager
Explorer

Ok I am lost.
I have a universal forwarder installed on a Win server
I have the Splunk Web Interface (on separate server) in which I can see the forwarder (Settings -> Forwarder Manager)
Now this newbie question: How do I use the data in search - I suspect that I need to add Data, my question is how.
I did have a look in the documentation but could not see the answer.

Tags (2)
0 Karma
1 Solution

lukejadamec
Super Champion

When you installed the forwarder on the Win server you should have entered the ip address for the indexer, and you should have selected the eventlogs that you want Splunk to index.

If you did that, then you can start searching by entering the following in the search app, and from the time picker select all time:

index=main

On the left side of the screen you will see a list of fields with top 10 values per field. You can use those to narrow your search.

You really should read the docs, and perhaps take a tutorial or two.

View solution in original post

lukejadamec
Super Champion

When you installed the forwarder on the Win server you should have entered the ip address for the indexer, and you should have selected the eventlogs that you want Splunk to index.

If you did that, then you can start searching by entering the following in the search app, and from the time picker select all time:

index=main

On the left side of the screen you will see a list of fields with top 10 values per field. You can use those to narrow your search.

You really should read the docs, and perhaps take a tutorial or two.

dejager
Explorer

Ok found the problem.
And yes - I did read the documentation before, what I did miss is that the Window install points the input to port 9997 and that you have to manually fix the the input.conf (C:\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default).

Thanks for the assist

0 Karma

Ayn
Legend

Sounds to me you should be reading the docs: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Aboutforwardingandreceivingdata

You need to configure inputs on your forwarder. It won't automatically read and forward any data so you need to tell it what to grab.

dejager
Explorer

Here is what is confusing.
1) I can see the forwarder | Settings -> Forwarder Management

2) In Search -> What to Search (Data Summary), the host from where the data is being send by the forwarder is not being shown.

As I understand Splunk - I need to see the data before I can search and I am not seeing the forwarders data

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...