Getting Data In

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

New Member

I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command:

msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account" LOGON_PASSWORD="password" DEPLOYMENT_SERVER="MyDeploymentServerHost:8089" AGREETOLICENSE=Yes /quiet

and I can see that the client (BLD76) is connected, listed in Forwarder Management, one app (Splunk_TA_Windows) has been deployed successfully and it's phoning home:
alt text

However, there's no data being forwarded as my searches don't return any data based on the host name (bld76).
Looking at Splunkd.log on bld76, I can see following error when restarting Forwarder:

05-10-2016 16:17:58.809 +0100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

The install process explained above doesn't create an outputs.conf under etc\system\local, but I have deploymentclient.conf with following content there:

[target-broker:deploymentServer]
targetUri = MyDeploymentServerHost:8089

Could someone please help me diagnose what's missing? I should also add that there's no issues with other universal forwarders sending data (bld10, bld02 & bld73)

0 Karma
1 Solution

Splunk Employee
Splunk Employee

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

the configuration you have is to make the the uf only deployment client to the deployment server, in order to make it report a useful information using windows TA and other you need either to configure outputs.conf or to issue the bellow command

splunk add forward-server : -auth :

View solution in original post

0 Karma

New Member

Thanks for your answer, I tried it and it fixed the issue.

0 Karma

New Member

Alternatively I can fix the problem by specifying RECEIVING_INDEXER="" when installing the forwarder.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!