Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

jafars
New Member
‎05-10-2016 02:23 PM

I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command: 

msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account" LOGON_PASSWORD="password" DEPLOYMENT_SERVER="MyDeploymentServerHost:8089" AGREETOLICENSE=Yes /quiet

and I can see that the client (BLD76) is connected, listed in Forwarder Management, one app (Splunk_TA_Windows) has been deployed successfully and it's phoning home:
alt text

However, there's no data being forwarded as my searches don't return any data based on the host name (bld76).
Looking at Splunkd.log on bld76, I can see following error when restarting Forwarder:

05-10-2016 16:17:58.809 +0100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

The install process explained above doesn't create an outputs.conf under etc\system\local, but I have deploymentclient.conf with following content there:

[target-broker:deploymentServer]
targetUri = MyDeploymentServerHost:8089

Could someone please help me diagnose what's missing? I should also add that there's no issues with other universal forwarders sending data (bld10, bld02 & bld73)

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:23 AM

Thanks for your answer, I tried it and it fixed the issue.

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:36 AM

Alternatively I can fix the problem by specifying RECEIVING_INDEXER="" when installing the forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...