Getting Data In
Highlighted

How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Explorer

Hi,

I have installed Splunk Enterprise version locally and configured the below from Splunk Web.
1-forwarding host:port, (localhost:9997)
2-receiving port to match with the same port.(9997)
3- Data input to point to a directory (c:\data)

I don't see any data in search and reporting, even on adding files to the directory (c:\data)

Can I not use the same local instance as both a forwarder and indexer?

Thanks,
Saravana

0 Karma
Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

SplunkTrust
SplunkTrust

By default every Splunk instance can monitor the data locally (technically forwarder's functionality). Since you want to index the data locally and not to send/forward to any other indexer instance, you don't need to configure forwarding OR receiving. Just setup the data input and you should be good to go.

How are you configuring data inputs?? UI OR using inputs.conf?

View solution in original post

Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Explorer

Thanks a lot for the response. I am configuring using the UI. I added a directory in data input section and restarted splunk, but when i go to search and reporting section i dont see any data. Could you please let me know if i need to do any other configuration?

Thanks,
Saravana

0 Karma
Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

SplunkTrust
SplunkTrust

I would check few things
1) check if the data input is listed under data inputs and is in enabled state.
2) If you've access to the server, run following to see of the file that you posted has been monitored by Splunk OR not.
$SPLUNK_HOME/bin/splunk.exe list monitor

3) Since you added the data input from the UI, check if you're monitoring a file OR the directory (check in data input page). I'm guessing it would monitoring a specific file, so you would have to update the inputs.conf on the server to monitor the folder
4) check timestamp on the events in the file. and see if it's within the retention period of the index that you're using.

I might check the index/sourcetype being used in the search to see if it matches the values from data input

Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Explorer

Thanks for the response. On running listmonitor i get below entry.
Monitored Files:
$SPLUNK_HOME\etc\splunk.version
C:\SplunkDir
Please can you let me know where is inputs.conf and what to change it to make it a folder?

Thanks for your patience

0 Karma
Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Explorer

Below is my inputs. conf file present in
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf

[monitor://C:\SplunkDir]
disabled = false
whitelist = .
sourcetype = csv
index = test

0 Karma
Highlighted

Re: How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

Explorer

I figured out the problem. Thanks a lot for the assistance.

0 Karma