Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun
Splunk Employee
Splunk Employee
‎02-04-2015 04:48 PM

I've noticed customers having problems with the current 6.2.1 Online Sandboxes. As of last month, the UI has changed significantly with the new upgrade.

Customers used to have to manually enter their outputs.conf, but thats changed now. How do you do it?

Reply
1 Solution
Solved! Jump to solution
Solution

khourihan_splun
Splunk Employee
Splunk Employee
‎02-04-2015 05:01 PM

Now with the new version of Splunk, you can get your Forwarder Configuration app right from the GUI. It contains all the settings to setup security and tell the forwarder where to send your machine data.

From the Launcher app (default landing page)

Look on the left of the screen and click the forwarder app

alt text

From there you will download your forwarder config app.

alt text

Follow the instructions and you are good to go.

Inside there are a bunch of files, but notice the outputs.conf, and see the server= setting on the line below. So you aren’t using the same FQDN as you use for the UI.

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-blah.cloud.splunk.com:9997
sslCommonNameToCheck = blah.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = fdf1c4601674ddd5fca3db0486d927db
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Give that a whirl and let me know what you think.

Regards,
Kyle

PS One note on WINDOWS forwarders. During installation, the wizard asks you to enter Deployment Server and Receiving Indexer FQDNs or IPs. LEAVE THEM BLANK.
The .spl package will configure your receiving indexer(s) for you, and unless you have an on premise DS, then leave it blank. Else, your data will never show up and you will be unhappy.

View solution in original post

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

delzinga
New Member
‎06-09-2015 10:04 AM

Wow, the confusion and major lack of user friendly install directions is terrible. I considered using Splunk, but I've spent more time trying to install/configure for this Sandbox that it's no longer worth my time.

0 Karma
Reply
Solved! Jump to solution
Solution

khourihan_splun
Splunk Employee
Splunk Employee
‎02-04-2015 05:01 PM

Now with the new version of Splunk, you can get your Forwarder Configuration app right from the GUI. It contains all the settings to setup security and tell the forwarder where to send your machine data.

From the Launcher app (default landing page)

Look on the left of the screen and click the forwarder app

alt text

From there you will download your forwarder config app.

alt text

Follow the instructions and you are good to go.

Inside there are a bunch of files, but notice the outputs.conf, and see the server= setting on the line below. So you aren’t using the same FQDN as you use for the UI.

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-blah.cloud.splunk.com:9997
sslCommonNameToCheck = blah.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = fdf1c4601674ddd5fca3db0486d927db
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Give that a whirl and let me know what you think.

Regards,
Kyle

PS One note on WINDOWS forwarders. During installation, the wizard asks you to enter Deployment Server and Receiving Indexer FQDNs or IPs. LEAVE THEM BLANK.
The .spl package will configure your receiving indexer(s) for you, and unless you have an on premise DS, then leave it blank. Else, your data will never show up and you will be unhappy.

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

avaikar
New Member
‎04-03-2017 08:41 AM

Doesnt seem to work for me.
This is what I see in the log:

04-03-2017 15:38:31.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:34.429 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:38:34.429 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=32.804 seconds.
04-03-2017 15:38:43.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:55.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:57.482 +0000 ERROR TcpOutputFd - Connection to host=52.201.237.113:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
04-03-2017 15:39:07.441 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:39:07.442 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=63.757 seconds.

I tried telnet to the IP & port, and that seems to go through.

Missed mentioning that this is on ubuntu.

The outputs.conf is:

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = 8997f53906a6bc9140a895e78335143b
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true

useACK = true

0 Karma
Reply
Solved! Jump to solution

malkiz_walkme
Explorer
‎03-19-2015 03:00 AM

Does this also work on windows?
What are the commands I should run? (instead of the *nix paths)
How do I know if it worked?

Reply
Solved! Jump to solution

Cuyose
Builder
‎09-23-2015 08:34 AM

Odd, this did nothing when I ran it. no output at all and none of my outputs.conf files were edited. there seem to be no actual windows commands in the docs.

0 Karma
Reply
Solved! Jump to solution

khourihan_splun
Splunk Employee
Splunk Employee
‎09-25-2015 11:10 AM

@Cuyose can make a diag and create a ticket and upload it? PM me at kyle@splunk.com the case # and we can take a look.

0 Karma
Reply
Solved! Jump to solution

khourihan_splun
Splunk Employee
Splunk Employee
‎06-09-2015 11:23 AM

Yes, it works on Windows too. Just run the same splunk install app from the "C:Program Files\\splunkforwarder\\bin" directory (or wherever %SPLUNK_HOME%\\bin lives.

0 Karma
Reply
Solved! Jump to solution

khourihan_splun
Splunk Employee
Splunk Employee
‎06-09-2015 11:25 AM

note this app took out the backslashes, but you should not.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...