- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to forward data to a Splunk Free license?
I am trying to forward logs from a linux server to a Splunk Free indexer instance.
I know my forwarder is set up correctly because I can forward data to a fully licensed splunk indexer OK.
But when I switch the target server to the free license indexer i don't receive anything.
Q: Is it possible to use universal forwarder to send data to a splunk free indexer ( not a trial license)?
I have seen a good few answers but they all talk about forwarding FROM Splunk free not forwarding TO splunk free.
I have seen the "MoreaboutSplunkFree" page
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree
but again restrictions seem to be about about forwarding from not to Splunk free.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
nickhillscpl : Yes I have configured Receiver, Yes I opened port 9997 on firewall for TCP ( should it be udp?)
No I have not configured any this special on indexer. on the tutorial video there is no mention of setting indexer.
Where could I find this?
HiroshiSatoh : I only access data from search head. When i click on "data summary" I can see other host I used in the past but I cannot see the ip of forwarding server. this is available on the fulled licensed server.
Is there some log on the Forwarding server I could look telling me "cannot contact indexer because..."?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Distributed configuration is not possible with the free version. Can you search on the indexer's server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the reason?
Data is transferred to the indexer, but it can not be retrieved from the search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk "free" there is no search head/indexer - Its a single box deployment only...
Although... that raises a good question if you were on Ent Trial, and had previously configured distributed search before the lic reverted to free
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this - as you correctly state, the free version limits your ability to configure a distributed environment (hence From).
There are no restrictions using a UF to send data to a system running the free licence.
Silly questions therefore follow:
Have you configured receiving ports?
Indexes?
Firewalls?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try searching for: index=_internal host=<your missing host name>
Although I suspect that it may come back empty!
Then take a look at the /opt/splunkforwarder/var/log/splunk/splunkd.log file - Look for any connection attempts specifically to port 9997. (yes it is normally TCP)
How did you configure your forwarder?
