Getting Data In

How to troubleshoot why I am receiving no data from my universal forwarder?

New Member

Okay... Here is my hangup. I've taken some training:
-What is Splunk
-Searching and Reporting
-Building Objects

But... All my training was dealing with an environment that was already set up and configured. I have no training for what I'm trying to do!

So I installed Universal Forwarder (newest available) on a Windows 7 workstation.
Default Ports

I've installed an instance of Splunk Enterprise on another workstation in the same domain.
I setup to listen on the same port (9997?) I can't remember the port number off the top of my head 😛
I made sure the services were running and did a netstat to make sure the ports were getting through. all good.

My problem is that I've tried setting up some data inputs, but i'm not sure I did it correctly because i'm getting no action from the forwarder.

Here's a simple rundown of what I want to forward (to get me started):

TCP bytes for:

UDP bytes for:

Any guidance would be great!

0 Karma

Splunk Employee
Splunk Employee

Take a look here as well for troubleshooting information.

0 Karma

New Member

Thank you all for your responses. I still don't know why the data I requested wasn't sent by the forwarder. Fortunately, I didn't end up needing it because the same data was coming in from the event logs. Although I am academically curious, I was able to bring closure to my issue.

0 Karma

0 Karma

Revered Legend

Did you created a outputs.conf file on forwarder to send data to Indexer? If a correct outputs.conf is created, the forwarder should send forwarder's internal logs to your Indexers (without needing to setup an inputs.conf). Once you see internal logs (index=_internal host=yourforwarder), then you can setup data inputs.


Make sure Windows Firewall is not blocking the forwarder.

If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks Rich. Firewall isn't the problem. No local firewall. Both client and "server" are inside the firewall.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!