We've recently started a Splunk Cloud instance, and are attempting to send data to it locally so we have all the steps ready to push to servers. I've followed the installation instructions pretty much everywhere a few times and still have no solution. Example of the steps taken can be found here: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Admin/UnixGDI with the exception that I can install through a .dmg and my universal forwarder lives at /Applications/SplunkForwarder.
I've been digging around to try to see what could've gone wrong, I haven't messed with any of the configuration files yet, just added the app with the credentials file and added a monitor to the log file. I can tail the log file locally and things print out to it fine, and the file mapping is correct. The only thing I've noticed is that if I go to $SPLUNK_HOME/etc/system/local there's no `inputs.conf` file, but I'm not sure that's even required.
Does anyone have any ideas on where to even start to hunt down the issue?
Also, if I run ./bin/splunk list forward-server the forward successfully shows up under active
I suppose that you have sc_admin role? Then you can try
index=_internal host=<your macOS host name>
to get some internal events from your local host.
Or use Cloud Monitoring Console and enable Forwarder monitoring and after that look what forwarders you have.
I'm kind of unclear on what to try here. When I say I don't see data in Splunk Cloud, if I go to the search dashboard and type anything, even "*" nothing comes up.
Is there somewhere I can see the data is coming in easier? Should I try setting up an inputs.conf file in the local directory?
I have tried adding inputs.conf and making an index in splunk that the logs get tied to and it's even showing 0 evens, so not sure what to do
Please create an app on the forwarder with inputs.conf which has the below format
[monitor:///var/log/httpd] sourcetype = access_common
index = abc ignoreOlderThan = 7d
Download the splunk UF credential package app from splunk cloud and place it in /opt/splunkforwarder/etc/apps location and do a splunk restart
I suppose that you have sc_admin role? Then you can try
index=_internal host=<your macOS host name>
to get some internal events from your local host.
Or use Cloud Monitoring Console and enable Forwarder monitoring and after that look what forwarders you have.
Yeah, it was coming through, but had to do this to see any of the data. Found it through the Cloud Monitoring Dashboard like you said. Thanks!