Getting Data In

Forwarder configuration to forward os data

Explorer

Hello,

How can I install and configure a forwarder at my windows machine to transfer OS data (cpu load, memory etc) to my splunk indexer (running at a solaris machine).

I want windows machine data to be displayed in my NIX app at my indexer.

Guide me about what configurations would i have to make for this. Also about would i need a universal forwarder for this or a light forwarder?

Regards,

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

View solution in original post

0 Karma

Explorer

Thank you for your answer dear,

I have installed the forwarder at windows machine and my perfmon data is being shown in my indexer when i perform a search by ip address.

The problem i am getting was that the data is not being shown in nix app which u have answered that windows data is not supported in nix app.

I have deployed another forwarder at a Solaris machine but its data is also not being shown in NIX. As I understand it might be the problem in configuration.

What I did is just installed the universal forwarder at machine and have configured the port in its output.conf file. The data of this machine is also being shown when i perform a search by ip however the host is not being listed under host list in NIX app. Do i have to make any further configurations in it ?

Regards,

0 Karma

Splunk Employee
Splunk Employee

Did you configure any inputs on the Solaris machine? If not, you can deploy the full Unix app to the Solaris machine, and enabling the inputs. (i.e. copy the desired stanza headers from default/inputs.conf to local/inputs.conf and setting disabled = false)

0 Karma

Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

View solution in original post

0 Karma