Okay... Here is my hangup. I've taken some training:
-What is Splunk
-Searching and Reporting
But... All my training was dealing with an environment that was already set up and configured. I have no training for what I'm trying to do!
So I installed Universal Forwarder (newest available) on a Windows 7 workstation.
I've installed an instance of Splunk Enterprise on another workstation in the same domain.
I setup to listen on the same port (9997?) I can't remember the port number off the top of my head 😛
I made sure the services were running and did a netstat to make sure the ports were getting through. all good.
My problem is that I've tried setting up some data inputs, but i'm not sure I did it correctly because i'm getting no action from the forwarder.
Here's a simple rundown of what I want to forward (to get me started):
TCP bytes for:
UDP bytes for:
Any guidance would be great!
Make sure Windows Firewall is not blocking the forwarder.
Thanks Rich. Firewall isn't the problem. No local firewall. Both client and "server" are inside the firewall.
Did you created a outputs.conf file on forwarder to send data to Indexer? If a correct outputs.conf is created, the forwarder should send forwarder's internal logs to your Indexers (without needing to setup an inputs.conf). Once you see internal logs (index=_internal host=yourforwarder), then you can setup data inputs.
Thank you all for your responses. I still don't know why the data I requested wasn't sent by the forwarder. Fortunately, I didn't end up needing it because the same data was coming in from the event logs. Although I am academically curious, I was able to bring closure to my issue.