Hi all,
I'm very new to Splunk and am doing it for a school project. I was tasked to forward data from a Forwarder to a Receiver. I've visited various parts of the documentations (e.g. Set up forwarding and receiving). Tried searching around for solutions but I'm still confused on what to do.
I'm using a Virtual Machine to receive data, and the normal PC's OS for forwarding data. What I have done is to install the Universal Forwarder to the PC, and the normal Splunk on the VM. I have also set up the receiver at the VM by going to Manager » Forwarding and receiving » Receive data and entered the port number: 9997.
Went to the PC -> $SPLUNK_HOME\etc\system\local\output.conf and already had this:
[tcpout]
defaultGroup = win-lcjuo9fhe9t_9997
[tcpout:win-lcjuo9fhe9t_9997]
server = win-lcjuo9fhe9t:9997
[tcpout-server://win-lcjuo9fhe9t:9997]
I then went to my PC's command line and used the command:
splunk add oneshot C:\Users\user\Desktop\fox.log
Went back to the VM (receiver) and enabled the Deployment Monitor app. It doesn't show that any forwarder has been trying to connect to it.
I'm still confused on how to get the fox.log file (which I created with a few lines of data) to forward it into the Splunk receiver (in the VM). Hope to get some help. Thank you!
It is usually very simple setting for sending and receiving. I recommend to start it over to set it up, and try adding the file under the directory the file exisit and avoid using path to make it even simpler. 1. Make sure there is no firewall turned on in both PC 2. Make sure you restarted the forwarder after configured it. 3. Just in case, restart the receiver, too 4. At the forwarder, search "index=_internal source=*metrics.log* tcpout* " and make sure you see the ipaddress or host name of the receiver exists 5. At the receiveer, search "index=_internal source=*metrics.log* tcpin* " and make sure you see the ipaddress or host name of the forwarder exists 6. At the receiver, run search "index=* | stats count by source" and see if you can find the file path you just added as oneshot. 7. Try IP address instead of hostname in outputs.conf if this does not work (Maybe NetBIOS is not resolved.)
It is usually very simple setting for sending and receiving. I recommend to start it over to set it up, and try adding the file under the directory the file exisit and avoid using path to make it even simpler. 1. Make sure there is no firewall turned on in both PC 2. Make sure you restarted the forwarder after configured it. 3. Just in case, restart the receiver, too 4. At the forwarder, search "index=_internal source=*metrics.log* tcpout* " and make sure you see the ipaddress or host name of the receiver exists 5. At the receiveer, search "index=_internal source=*metrics.log* tcpin* " and make sure you see the ipaddress or host name of the forwarder exists 6. At the receiver, run search "index=* | stats count by source" and see if you can find the file path you just added as oneshot. 7. Try IP address instead of hostname in outputs.conf if this does not work (Maybe NetBIOS is not resolved.)
Hey @Masa, I managed to telnet over. Got it to work, and like you said, it's the firewall problem. Thanks a lot for the help!
Sadly, MS Windows removed telnet from default commands...
It's your choice to use UF/LWF/Heavy Forwarder. Either one should work.
I've managed to ping another PC's IP address in the same network, and decided to change from working between a host PC and a VMWare. So right now, it's just between two PCs, both running Windows 7. I'm not sure how to telnet, even after searching on Google, the
> telnet xx.xx.xx.xx 9997
command doesn't seem to work on my command prompt. I went on to use the 'ping' command in the command prompt, and managed to ping the new PC.
Another quick question: Do I need to use the Universal Forwarder or the Light/Heavy Forwarder?
You can check if there is connection between the PCs by telnet.
telnet9997
Where do I put the fox.log file? I went to the receiver to check using your search statement, but nope, it doesn't show the file path of the log file I added as oneshot.
I tried putting the IP Address, but it doesn't work also. There's probably something wrong with using a PC host connecting to the VMWare.