Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you get data into Splunk Enterprise with a universal forwarder?

bwouters
Path Finder
‎11-29-2017 02:33 AM

I installed a Splunk Enterprise 7.0 on a Unix machine and wish to get data from a Windows machine (any data would suffice for now since I'm new to Splunk, trying to grasp the concept of it all)

Some configs I did using the documentation available:
Splunk Enterprise server (unix system)
$ cat inputs.conf
[default]
host = SPLUNK

[splunktcp://9997]
disabled = 0

Splunk Universal Forwarder (Windows Server machine)
-> splunk add forward-server :9997
-> splunk set deploy-poll :9997
-> Added some config in 'inputs.conf'

Windows platform specific input processor.

[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[monitor:///apache/*.log]
disabled = 0

-> splunk enable eventlog System
Specified input collection has been enabled

Now I want to add a Forwarder using the Splunk Web on my Enterprise system.
I log on to the website, select 'Add data' > 'Forward' > 'There are currently no forwarders configured as deployment clients to this instance.'
Not sure what I'm doing wrong. However, when I search for data, I do see some results there from the Windows machine!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2017 02:46 AM

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2017 04:21 AM

Hi bwouters,
To take windows logs, I suggest to use Splunk_TA_Windows that contains all the configurations to take windows logs.
This TA is available at https://splunkbase.splunk.com/app/742/ and contains all inputs and scripts to take windows logs, you have only to enable them in inputs.conf putting disabled=0 in the stanzas you like.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2017 02:46 AM

The deploy-poll should be port 8089 of your deployment server, assuming default ports are used.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-29-2017 03:27 AM

The outputs.conf is fine, as you've said yourself - you see events from that machine indexed.

Deployment client config is stored in deploymentclient.conf (duh), the CLI command creates the file in etc/system/local.

0 Karma
Reply
Solved! Jump to solution

bwouters
Path Finder
‎11-29-2017 04:20 AM

It's working now, after changing the port to 8089.
I guess the system needed a bit more time to process the change.

Thanks for informing me about the port!

0 Karma
Reply
Solved! Jump to solution

bwouters
Path Finder
‎11-29-2017 02:56 AM

I executed the command again with different port (8089) but without success.
Is there a specific config file I can check to make sure it has changed?

I checked the output.conf file on etc/system/local
It contains the following

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997

[tcpout-server://IP:9997]

-> Is this even the correct place to look?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...