Getting Data In

Forwarder configuration to forward os data

mkashif
Explorer

Hello,

How can I install and configure a forwarder at my windows machine to transfer OS data (cpu load, memory etc) to my splunk indexer (running at a solaris machine).

I want windows machine data to be displayed in my NIX app at my indexer.

Guide me about what configurations would i have to make for this. Also about would i need a universal forwarder for this or a light forwarder?

Regards,

Tags (1)
0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

View solution in original post

0 Karma

mkashif
Explorer

Thank you for your answer dear,

I have installed the forwarder at windows machine and my perfmon data is being shown in my indexer when i perform a search by ip address.

The problem i am getting was that the data is not being shown in nix app which u have answered that windows data is not supported in nix app.

I have deployed another forwarder at a Solaris machine but its data is also not being shown in NIX. As I understand it might be the problem in configuration.

What I did is just installed the universal forwarder at machine and have configured the port in its output.conf file. The data of this machine is also being shown when i perform a search by ip however the host is not being listed under host list in NIX app. Do i have to make any further configurations in it ?

Regards,

0 Karma

mw
Splunk Employee
Splunk Employee

Did you configure any inputs on the Solaris machine? If not, you can deploy the full Unix app to the Solaris machine, and enabling the inputs. (i.e. copy the desired stanza headers from default/inputs.conf to local/inputs.conf and setting disabled = false)

0 Karma

mw
Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...