Getting Data In

How to configure universal forwarders (deployment clients) on Windows machines to send logs to Splunk Light?

tejasplunk
Engager

Complete Splunk beginner here.

I am learning to use Splunk. We have a bunch of Windows machines that we want to pull the logs from.

This is what I understand from the docs, but please correct me if I am wrong.

  1. Install Splunk Light full version on one of the servers.
  2. Install universal forwarders on however number of machines you want (tick the logs you want to forward and give the ip address and port number of the Splunk Light instance) default 9997.
  3. Go to Splunk Web, now I go to forward data, but it says there are no deployment clients configured to talk to this Splunk instance! I didn't get this deployment server and deployment client. Do I need a deployment server in my scenario? Where are all the forwarders are supposed to forward events to in a single instance of Splunk Light?
  4. I started seeing the host under search tab, under host. (Is this how the forwarder is supposed to work?) as the hosts added pop-up here.

Thanks. The docs are confusing as there is a mix up of Splunk Enterprise with Splunk Light and they are not comprehensive enough for the multitude of options you can configure with Splunk.

andrewb_splunk
Splunk Employee
Splunk Employee

Based on feedback such as yours we are working to make the Splunk Light forwarding documentation clearer and more self-contained. In the meantime, the following topics in the Splunk Light docs should provide the info that you need to get started:

The process of configuring your forwarders as deployment clients is optional, but is required if you want to use the Add Data workflow in the Splunk Light user interface (instead of managing data inputs at the command line or config file level on each forwarder).

shadcollins
Engager

An issue is the Receive Data from forwarder doesn't appear to actually work. It says there are no forwarders configured when there are because data is coming in from file's being ingested.

Not only is the documentation bad, it just doesn't work.

It feels like Splunk Light is a second-class citizen. It is hard to sell this to clients when it is almost impossible to set up without doing everything in the back-end with file configurations.

0 Karma
Get Updates on the Splunk Community!

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...