Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

jafars
New Member
‎05-10-2016 02:23 PM

I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command: 

msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account" LOGON_PASSWORD="password" DEPLOYMENT_SERVER="MyDeploymentServerHost:8089" AGREETOLICENSE=Yes /quiet

and I can see that the client (BLD76) is connected, listed in Forwarder Management, one app (Splunk_TA_Windows) has been deployed successfully and it's phoning home:
alt text

However, there's no data being forwarded as my searches don't return any data based on the host name (bld76).
Looking at Splunkd.log on bld76, I can see following error when restarting Forwarder:

05-10-2016 16:17:58.809 +0100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

The install process explained above doesn't create an outputs.conf under etc\system\local, but I have deploymentclient.conf with following content there:

[target-broker:deploymentServer]
targetUri = MyDeploymentServerHost:8089

Could someone please help me diagnose what's missing? I should also add that there's no issues with other universal forwarders sending data (bld10, bld02 & bld73)

splunk-forwarder.png
Preview file
97 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:23 AM

Thanks for your answer, I tried it and it fixed the issue.

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:36 AM

Alternatively I can fix the problem by specifying RECEIVING_INDEXER="" when installing the forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Holistic Visibility and Effective Alerting Across IT and OT Assets

Instead of effective and unified solutions, they’re left with tool fatigue, disjointed alerts and siloed ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...
Top