Hey,
I'm new to Splunk, so I may be missing something... However, I can't seem to configure a forwarder to listen on a network port (tcp/udp for syslog).
So far I have:
- Installed the forwarder which shows up in the Splunk Light dloud portal
- I have set the forwarder to monitor local event logs and the data is flowing into Splunk ok
- When I go to Add data, select the forwarder, select the server class, I can't click on the option for "Configure Splunk to listen on a network port." It also seems to be missing it's blue heading in that box. I can click on the other four options, but not that one.
Any ideas? Am I missing something?
Thanks...Scott
Looks like there is a bug introduced in the recent version that is preventing UI from working.
As a work around you can go to the machine where forwarder is running, and manually create (if none exists) inputs.conf file in /etc/system/local folder and update/add TCP input there and restart the forwarder (/bin/splunk restart).
Example stanza for receiving syslog via TCP input (update for your port and source type as appropriate):
[tcp://33333]
sourcetype=syslog
disabled=false
could you post a screen-shot?
if you have a server class defined that contains the forwarder(s) you're trying to enable the tcp/udp input on then there shouldn't be a problem.
thnx
Sure...here you go.
ok, thnx. i'm looking into it/trying to re-produce the issue.
for now, the "Use the CLI" section of this doc may help: http://docs.splunk.com/Documentation/Splunk/6.4.0/Data/Configureyourinputs#Use_the_CLI