Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why I am receiving no data from my universal forwarder?

gfaggiano
New Member
‎02-26-2015 10:33 AM

Okay... Here is my hangup. I've taken some training:
-What is Splunk
-Searching and Reporting
-Building Objects

But... All my training was dealing with an environment that was already set up and configured. I have no training for what I'm trying to do!

So I installed Universal Forwarder (newest available) on a Windows 7 workstation.
Default Ports

I've installed an instance of Splunk Enterprise on another workstation in the same domain.
I setup to listen on the same port (9997?) I can't remember the port number off the top of my head 😛
I made sure the services were running and did a netstat to make sure the ports were getting through. all good.

My problem is that I've tried setting up some data inputs, but i'm not sure I did it correctly because i'm getting no action from the forwarder.

Here's a simple rundown of what I want to forward (to get me started):

TCP bytes for:
25
80
110
443
8080

UDP bytes for:
443

Any guidance would be great!

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎03-04-2015 09:48 AM

Take a look here as well for troubleshooting information.

0 Karma
Reply

gfaggiano
New Member
‎03-02-2015 04:08 AM

Thank you all for your responses. I still don't know why the data I requested wasn't sent by the forwarder. Fortunately, I didn't end up needing it because the same data was coming in from the event logs. Although I am academically curious, I was able to bring closure to my issue.

0 Karma
Reply

satishsdange
Builder
‎02-27-2015 03:17 AM

Hi gfaggiano -

Below link might help you.
http://answers.splunk.com/answers/218189/forwarders-not-forwarding.html#answer-218190

0 Karma
Reply

somesoni2
Revered Legend
‎02-26-2015 01:02 PM

Did you created a outputs.conf file on forwarder to send data to Indexer? If a correct outputs.conf is created, the forwarder should send forwarder's internal logs to your Indexers (without needing to setup an inputs.conf). Once you see internal logs (index=_internal host=yourforwarder), then you can setup data inputs.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-26-2015 11:39 AM

Make sure Windows Firewall is not blocking the forwarder.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gfaggiano
New Member
‎02-27-2015 03:06 AM

Thanks Rich. Firewall isn't the problem. No local firewall. Both client and "server" are inside the firewall.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...