Forwarders configuration

andreac81 · ‎06-09-2017

Hi to all, I configured a forwarder as following

In Splunk Server:
- in /opt/splunk/etc/deployment-apps I copyed the forwarder apps (fwd_common, fwd_jboss,..)
- in /opt/splunk/etc/deployment-apps/fwd_common/default/outputs.conf I inserted

[tcpout]
defaultGroup = ovdgroup

[tcpout:ovdgroup]
server = splunkserverIP:9997
autoLB = true

in /opt/splunk/splunk/etc/system/local/serverclass.conf I inserted

[serverClass:FWD_JBOSS]
whitelist.0 = monitoredserverhostname

[serverClass:FWD_COMMON]
whitelist.0 = monitoredserverhostname
I set the inputs.conf files in order to analyze log files.

In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed.

The indexes that should be populated by jboss log files are empty.

Wich checks can I perform in order to understand why indexes are empty?

Thanks,
Andrea

andreac81 · ‎06-17-2017

If I search for index=internal the only host present is the spkunk server, so I think clients aren't sending data.
But In Forwarder management, in "Clients" tab, I can see the client (Jboss Server) that "Phoned Home" a few seconds ago and in "Apps" tab I can see the apps deployed, so where the bug is?

adonio · ‎06-09-2017

hello there,
try this article:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata
also, did you set your app to restart splunkd? enable restart configuration, might be needed when adding inputs.
good way to check is to search index =_intrenal host=yourhost
if theres data, it means the inputs did not apply
if there is not, check also outputs
hope it helps

andreac81 · ‎06-16-2017

I tried following search

index =_internal clientip=10.95.1.119

All results are like

16/06/17 10.21.08,858   
10.95.1.119 - - [16/Jun/2017:10:21:08.858 -0400] "POST /services/broker/phonehome/connection_10.95.1.119_8089_10.95.1.119_hostname HTTP/1.1" 200 1126 - - - 1ms
host = splunk-server.novalocal source = /opt/splunk/splunk/var/log/splunk/splunkd_access.log sourcetype = splunkd_access

I think the only activity is the "phonehome/connection" but not log file forward.
Have I failed to install forwarder? I've read http://docs.splunk.com/Documentation/Splunk/6.6.1/Troubleshooting/Cantfinddata but it's seems to be ok.

Thanks

adonio · ‎06-16-2017

does you host sends data to splunk?
index=_internal host=yourUniqueHost
can you look at the host file structure?
go to splunkforwarder/etc/apps/ and make sure you see the apps you are trying to deploy
hope it helps

adonio · ‎06-18-2017

look here:
http://docs.splunk.com/Documentation/Splunk/6.6.1/Updating/Useserverclass.conf
your severclass.conf is off.
will recommend to start with the GUI by creating a serverclass, adding clients and adding apps
then go to back-end and look at the serverclass.conf that splunk created.
the logic can be sometimes a little confusing

Forwarders configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

Forwarders configuration

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...