After 2 days of reading numerous help docs and watching tutorial videos, still not able to get Splunk Cloud monitoring a simple event log of my Windows test-pc. Installing and de-installing the universal forwarder 10+ times, I am now on the edge of walking away from this Splunk puzzle. Splunkuniversforwarding service is running, splunkd process running, what next to check...
[default] host = Asus-AP [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 <<
[general] serverName = Asus-AP pass4SymmKey = xxxxxxxxxxxx [sslConfig] sslKeysfilePassword = xxxxxxxxxxxx [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder quota = MAX slaves = * stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free quota = MAX slaves = * stack_id = free << deploymentcliet.conf: [target-broker:deploymentServer] targetUri = prd-p-7jmfcpd9xcqm.cloud.splunk.com:8089 <<
NO outputs.conf file (why? and where do I correct this? adding it manually?)
I missed a complete step by step video or document to make a simple working setup for Splunk Cloud monitoring the eventlog of a windows pc system. When starting to read help documentation and clicking on the relevant part, it opens a new page...in no time I have at least 10 pages open and still no answer...
some help is appreciated.
Hello apietersen, I am sorry you are having trouble configuring Splunk to ingest data. Have you followed the steps outlined in the document below?
Are you receiving any internal logs in Splunk Cloud from your Forwarder?
Do you have any outputs configured on your universal forwarder? The following command will list any outputs you have
./splunk cmd btool outputs list
Splunk Cloud should provide you with an outputs app to place on your universal forwarder.
Trying to send some further info, again no karma enough. pff 😞 Hope this post is allowed. De-installed and installed universal forwarder again. (could not remove app and other stuff from de the cloud console)
Here is the output of splunk cmd btool outputs list
hope you can find something that solves this issue (note: I can always provide a remote session to our test-pc if needed)
C:\Program Files\SplunkUniversalForwarder\bin>splunk cmd btool outputs list [syslog] dropEventsOnQueueFull = -1 maxEventSize = 1024 priority = <13> type = udp [tcpout] ackTimeoutOnShutdown = 30 autoLBFrequency = 30 blockOnCloning = true blockWarnThreshold = 100 compressed = false connectionTimeout = 20 defaultGroup = splunkcloud disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 forceTimebasedAutoLB = false forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection|_internal) forwardedindex.filter.disable = false heartbeatFrequency = 30 indexAndForward = false maxConnectionsPerIndexer = 2 maxFailuresPerInterval = 2 maxQueueSize = auto readTimeout = 300 secsInFailureInterval = 1 sendCookedData = true sslQuietShutdown = false tcpSendBufSz = 0 useACK = false writeTimeout = 300 [tcpout:splunkcloud] compressed = false disabled = false server = xxxxxxx.cloud.splunk.com:9997 sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem sslCommonNameToCheck = input-prd-p-7jmfcpd9xcqm.cloud.splunk.com sslPassword = xxxxxxxx sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem sslVerifyServerCert = true useACK = true C:\Program Files\SplunkUniversalForwarder\bin>
index=_internal host=<your_host_name> OR host=<your_host_ip>