I'm new to Splunk, so I may be missing something... However, I can't seem to configure a forwarder to listen on a network port (tcp/udp for syslog).
So far I have:
- Installed the forwarder which shows up in the Splunk Light dloud portal
- I have set the forwarder to monitor local event logs and the data is flowing into Splunk ok
- When I go to Add data, select the forwarder, select the server class, I can't click on the option for "Configure Splunk to listen on a network port." It also seems to be missing it's blue heading in that box. I can click on the other four options, but not that one.
Any ideas? Am I missing something?
Looks like there is a bug introduced in the recent version that is preventing UI from working.
As a work around you can go to the machine where forwarder is running, and manually create (if none exists) inputs.conf file in /etc/system/local folder and update/add TCP input there and restart the forwarder (/bin/splunk restart).
Example stanza for receiving syslog via TCP input (update for your port and source type as appropriate):
[tcp://33333] sourcetype=syslog disabled=false