Getting Data In

Mac OSX: Splunk Universal Forwarder not Being Received by Splunk Cloud

yourknightmares
Explorer

We've recently started a Splunk Cloud instance, and are attempting to send data to it locally so we have all the steps ready to push to servers. I've followed the installation instructions pretty much everywhere a few times and still have no solution. Example of the steps taken can be found here: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Admin/UnixGDI with the exception that I can install through a .dmg and my universal forwarder lives at /Applications/SplunkForwarder.

I've been digging around to try to see what could've gone wrong, I haven't messed with any of the configuration files yet, just added the app with the credentials file and added a monitor to the log file. I can tail the log file locally and things print out to it fine, and the file mapping is correct. The only thing I've noticed is that if I go to $SPLUNK_HOME/etc/system/local there's no `inputs.conf` file, but I'm not sure that's even required.

Does anyone have any ideas on where to even start to hunt down the issue?

 

Also, if I run ./bin/splunk list forward-server the forward successfully shows up under active

Labels (4)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

I suppose that you have sc_admin role? Then you can try

 

index=_internal host=<your macOS host name>

 

to get some internal events from your local host.

Or use Cloud Monitoring Console and enable Forwarder monitoring and after that look what forwarders you have.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust
If your forward-server is active, you probably see some data from your Mac on Splunk Cloud. Just look from _internal with your hostname.
When you are sending local data from source to cloud you must always define some inputs.conf which told what you are collecting and what it is.
r. Ismo
0 Karma

yourknightmares
Explorer

I'm kind of unclear on what to try here. When I say I don't see data in Splunk Cloud, if I go to the search dashboard and type anything, even "*" nothing comes up.

 

Is there somewhere I can see the data is coming in easier? Should I try setting up an inputs.conf file in the local directory?

0 Karma

yourknightmares
Explorer

I have tried adding inputs.conf and making an index in splunk that the logs get tied to and it's even showing 0 evens, so not sure what to do

0 Karma

Roy_9
Motivator

Please create an app on the forwarder with inputs.conf which has the below format

 

[monitor:///var/log/httpd]
sourcetype = access_common
index = abc ignoreOlderThan = 7d

 

Download the splunk UF credential package app from splunk cloud and place it in /opt/splunkforwarder/etc/apps location and do a splunk restart

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I suppose that you have sc_admin role? Then you can try

 

index=_internal host=<your macOS host name>

 

to get some internal events from your local host.

Or use Cloud Monitoring Console and enable Forwarder monitoring and after that look what forwarders you have.

0 Karma

yourknightmares
Explorer

Yeah, it was coming through, but had to do this to see any of the data. Found it through the Cloud Monitoring Dashboard like you said. Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...