I am trying to forward only CPU/Memory load log to the indexer. Here is what I've done so far:
- Installed indexer(just an instance of splunk) to the server (host)
- Added 9997 under Settings > Receiving and forwarding > receiving configuration
- Installed splunkforwarder to my local machine
- Added hostname(server's hostname):9997 under Settings > Receiving and forwarding > forwarding configuration
- Installed apps for *nix to both of machines
Here's my question:
- How can I check the forwarder actually sends data to indexer?
- How can I check the indexer actually receives data from forwarder?
(I checked /opt/~ … ~/splunk list forward-server at the local machine's cmd, but getting nothing)
- How can I limit kinds of file (data) forwarded to indexer (in order to send only CPU/Memory load)?
I will appreciate if someone gives me step by step instruction to configure settings:
+)
I am seeing the error message says like the following from forwarder's web UI
! Tcp outout pipeline blocked. Attempt '18600'to insert data failed
! skipped indexing of internal audit even will keep dropping events until indexer congestion is remedied.
Are theses related to the connection between indexer and forwarder?
