Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to forward data to a Splunk Free license?

pdevosceazure
Path Finder
‎10-16-2017 02:05 AM

I am trying to forward logs from a linux server to a Splunk Free indexer instance.
I know my forwarder is set up correctly because I can forward data to a fully licensed splunk indexer OK.
But when I switch the target server to the free license indexer i don't receive anything.

Q: Is it possible to use universal forwarder to send data to a splunk free indexer ( not a trial license)?
I have seen a good few answers but they all talk about forwarding FROM Splunk free not forwarding TO splunk free.
I have seen the "MoreaboutSplunkFree" page
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree
but again restrictions seem to be about about forwarding from not to Splunk free.

0 Karma
Reply

pdevosceazure
Path Finder
‎10-16-2017 03:32 AM

Thanks
nickhillscpl : Yes I have configured Receiver, Yes I opened port 9997 on firewall for TCP ( should it be udp?)
No I have not configured any this special on indexer. on the tutorial video there is no mention of setting indexer.
Where could I find this?

HiroshiSatoh : I only access data from search head. When i click on "data summary" I can see other host I used in the past but I cannot see the ip of forwarding server. this is available on the fulled licensed server.

Is there some log on the Forwarding server I could look telling me "cannot contact indexer because..."?

0 Karma
Reply

HiroshiSatoh
Champion
‎10-16-2017 06:27 AM

Distributed configuration is not possible with the free version. Can you search on the indexer's server?

0 Karma
Reply

HiroshiSatoh
Champion
‎10-16-2017 03:20 AM

What is the reason?
Data is transferred to the indexer, but it can not be retrieved from the search head.

0 Karma
Reply

nickhills
Ultra Champion
‎10-16-2017 03:25 AM

In Splunk "free" there is no search head/indexer - Its a single box deployment only...
Although... that raises a good question if you were on Ent Trial, and had previously configured distributed search before the lic reverted to free

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎10-16-2017 03:18 AM

You should be able to do this - as you correctly state, the free version limits your ability to configure a distributed environment (hence From).

There are no restrictions using a UF to send data to a system running the free licence.

Silly questions therefore follow:
Have you configured receiving ports?
Indexes?
Firewalls?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎10-16-2017 06:06 AM

try searching for: index=_internal host=<your missing host name>
Although I suspect that it may come back empty!
Then take a look at the /opt/splunkforwarder/var/log/splunk/splunkd.log file - Look for any connection attempts specifically to port 9997. (yes it is normally TCP)

How did you configure your forwarder?

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...