Getting Data In

How to properly configure Universal Forwarder, located on the same machine as my Splunk instance?

Path Finder

Hi. I am trying to install an universal forwarder on the same machine as my Splunk instance just to see how Universal Forwarder (UF) works. I understand that you can collect the logs locally but just to understand how UF works I am trying to do it. I have followed the installation wizard and entered the receiver details as 127.0.0.1 and 9997 as the port. I left the deployment server details empty. I also configured receiver on the Indexer but I am still unable to see Windows event logs when searched. Could someone please help? I am new to Splunk.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX

View solution in original post

0 Karma

New Member

I am too facing same issue. I installed Splunk Universal Fwd and Splunk Enterprise on my C drive. I created a sample file and modified the inputs.conf as mentioned above and enabled the receiver by setting port to 9997. Do we have to modify/create outputs.conf file? I tried creating outputs.conf too..but no use. In outputs.conf I gave the server name as localhost. Am I missing something? Also, do we have to modify anything in distributed search? I assume my Splunk Enterprise is acting both as SH and Indexer.

0 Karma

Contributor

Have you set up inputs on the forwarder, to tell it what to forward?

0 Karma

SplunkTrust
SplunkTrust

Did you edit your inputs.conf to monitor the directory you want Splunk to ingest?

Under your Splunkforwarder home directory, go to etc/system/local and create an inputs.conf file and put the stanza below.. Make sure to substitute out the path to your file you want to monitor, give a sourcetype, and what index you want this data to go to. Also make sure you have the index defined before sending data there

[monitor//C:\PATH_TO_FILE]
 disabled=false
 sourcetype=YOUR_SOURCETYPE
 index=YOUR_INDEX

View solution in original post

0 Karma

Path Finder

I had already chose windows event logs in the UF installation wizard. Wouldn't that configure it automatically? Do i need to do anything under data inputs?

0 Karma

SplunkTrust
SplunkTrust

Yes it should have, You can go to Settings>Data Inputs and see if there's anything for local event log collection, or you can go to splunkforwarder/etc/system/local and see if you have an inputs.conf with a stanza collecting your event logs.

You could also create a quick test by creating a temp folder on your C drive and creating a text file inside that folder. You should then add the stanza I provided above and point it to that text file you created. Restart the Splunk service after making changes and verify that Splunk ingests it

http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorWindowseventlogdata

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!