Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

No events from Universal Forwarder

aly347774
Loves-to-Learn Lots
‎01-21-2024 11:12 PM

I installed Universal Forwarder On Linux Machine and integrate it with Splunk , but their is no logs returned on Splunk Search Head ,  as per your Knowledge I`m currently working on distributed Splunk Enterprise .

 

Any Recommendations ?

Labels (2)
0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:33 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 02:37 AM

OK. You downloaded and installed the UF. I assume you started it as well. But as you are apparently using a Deployment Server, did you configure your UF to connect to that DS?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 10:28 PM

I have specified a specific index so that we can send the logs to it, but when I search in the search head, there are no logs found.
Do I have to specify anything in the Input.conf file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2024 12:28 AM

What do you mean by "I integrated my UF with Splunk"?

Also the usual questions.

1. Do you have _any_ events from this forwarder (especially forwarder's own logs in _internal index) in your Splunk?

2. Do you have connectivity from your UF to your receiving component(s)? Did you verify it manually?

3. Did you check your forwarder's logs ($SPLUNK_HOME/var/log/splunk/splunkd.log) for errors?

0 Karma
Reply

aly347774
Loves-to-Learn Lots
‎01-22-2024 02:36 AM

I want to connect Splunk to the Linux server, and I downloaded the UF on the Linux server to get the security logs from it. After I created the server class and added clients to it, I downloaded the UF to it and made 2 apps (one for nix and one for main) to receive logs.

 

When I searched the search head, no logs appeared
I think the error is in the nix app. Does anyone know what modifications are required to be made on the nix app so that I can take the security logs?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2024 11:05 AM

OK. Maybe you misunderstand how Splunk works. You don't "connect splunk to a linux server". You install UF on a server and (and that might be one of the parts you're missing) you're making it send events to Splunk.

So, did you verify any of those things I asked you earlier?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...