Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

jafars
New Member
‎05-10-2016 02:23 PM

I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command: 

msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account" LOGON_PASSWORD="password" DEPLOYMENT_SERVER="MyDeploymentServerHost:8089" AGREETOLICENSE=Yes /quiet

and I can see that the client (BLD76) is connected, listed in Forwarder Management, one app (Splunk_TA_Windows) has been deployed successfully and it's phoning home:
alt text

However, there's no data being forwarded as my searches don't return any data based on the host name (bld76).
Looking at Splunkd.log on bld76, I can see following error when restarting Forwarder:

05-10-2016 16:17:58.809 +0100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

The install process explained above doesn't create an outputs.conf under etc\system\local, but I have deploymentclient.conf with following content there:

[target-broker:deploymentServer]
targetUri = MyDeploymentServerHost:8089

Could someone please help me diagnose what's missing? I should also add that there's no issues with other universal forwarders sending data (bld10, bld02 & bld73)

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mosman_splunk
Splunk Employee
Splunk Employee
‎05-10-2016 07:07 PM

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:23 AM

Thanks for your answer, I tried it and it fixed the issue.

0 Karma
Reply
Solved! Jump to solution

jafars
New Member
‎05-11-2016 12:36 AM

Alternatively I can fix the problem by specifying RECEIVING_INDEXER="" when installing the forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...