Getting Data In

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

jafars
New Member

I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command:

msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account" LOGON_PASSWORD="password" DEPLOYMENT_SERVER="MyDeploymentServerHost:8089" AGREETOLICENSE=Yes /quiet

and I can see that the client (BLD76) is connected, listed in Forwarder Management, one app (Splunk_TA_Windows) has been deployed successfully and it's phoning home:
alt text

However, there's no data being forwarded as my searches don't return any data based on the host name (bld76).
Looking at Splunkd.log on bld76, I can see following error when restarting Forwarder:

05-10-2016 16:17:58.809 +0100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

The install process explained above doesn't create an outputs.conf under etc\system\local, but I have deploymentclient.conf with following content there:

[target-broker:deploymentServer]
targetUri = MyDeploymentServerHost:8089

Could someone please help me diagnose what's missing? I should also add that there's no issues with other universal forwarders sending data (bld10, bld02 & bld73)

0 Karma
1 Solution

mosman_splunk
Splunk Employee
Splunk Employee

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma

mosman_splunk
Splunk Employee
Splunk Employee

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

0 Karma

jafars
New Member

Thanks for your answer, I tried it and it fixed the issue.

0 Karma

jafars
New Member

Alternatively I can fix the problem by specifying RECEIVING_INDEXER="" when installing the forwarder.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...