Newbie here with an issue.
Running Splunk 4.2.2 indexer on Linux and universal forwarders 4.2.2 on Windows 7 machines. I have 15 forwarders, but only receive data from the first 6 that were installed. I don't even see the forwarders listed under Hosts or the see their Source types on the summary screen. I see errors such as the following in the forwarder's splunkd.log
07-19-2011 15:25:05.121 -0400 INFO TcpOutputProc - Connected to idx=xx.xx.xxx.xxx:9997
07-19-2011 15:25:09.561 -0400 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "C:\Program Files\SplunkUniversalForwarder\bin"" splunk-regmon - No enabled entries were found in the conf files.
In the indexer's splunkd log I see messages such as:
Waiting for connection from src = aa.bb.ccc.dddd:portno to close before shutting down TCPInputProcessor.
So, it seems that the indexer knows of the forwarder's existance. Not sure what to look at next to try to resolve the issue.
If you run a "splunk list monitor -auth admin:changeme" command from the splunk\bin directory, does it list files that are being monitored to sent to the indexer?
If it lists nothing, you may have to modify your inputs.conf file to make sure you are monitoring the files that you hope to.
I'd like to run this command:
"splunk list monitor -auth admin:changeme"
on my windows universal forwarder. Since the service runs under the Local System acct, what credentails can\should I use in place of changeMe?
Running that command does indeed show that the two desired files are not being monitored. But, I can't find anything different between the inputs.conf file in the MSICreated directory on this forwarder and the forwarders where it is correctly working. I'm trying to find some kind of diff style utility to run against both directories.
Could permissions have anything to do with it?