Hey All, I am new to Splunk and trying to gain some insight. I have an all mac home and I am trying to gain some insight to what's taking place in my network and whats leaving it.

1. Mac Mini OS X 10.10.2 with Splunk 6.2.2 (indexer\search)
2. MacBookPro with 10.10.2 OS X
3. Universal Forwarder 6.2.2 on MacBookPro

I have installed the server successfully and have logged in and changed the password.

I have DL'd the .DMG from splunk and ran the installer, I have launched the UF with the short cut on my desktop. (so far so good)

This is what it all goes pair shaped so to say. I have drilled down via the terminal app to the Applications\SplunkForwarder\etc\apps\SplunkUniversalForwarder
when I am in here I can only see default and meta

I select default and see lots of files, like outputs.conf, limits.conf, inputs.conf and so on. I believe that I am in the right space based on what I have read. I see in some of the docs that this location over writes or over rules the other outputs.conf in other locations. So this is the one I need to setup the server to send the data to from what I can gather.

I edit them and add the lines for the following:
outputs.conf

Version 6.2.2

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection)
forwardedindex.filter.disable = false

[tcpout:my_indexer]
server=NN.NN.NN.NN:9997 <--- this is what I added

inputs.conf
[monitor:///var/log]
sourcetype=syslog
host=mymachinename

I stop the Splunk service and start it again with the desktop icon.

Now I go to the serverwebpage:8000 and I am all excited and yep, nothing at all. Back to reading more loads of doc's that don't seem to related really to MAC OS X (aka unix, i get it) . I am not a UNIX admin nor have I ever been. So its little clumsy to fumble around but i get there sooner or later.

It dawns on me that maybe I need to make sure the server is actually listening on that port. I got to "settings/forwarding and receiving" and select add new under the "receiving data" header. I add the port 9997. I restart splunk on the laptop and I wait about 10 mins......still nothing.

Troubleshooting

• I can ping the server and vice versa
• I can ssh to the server
• firewall is off on the macbook\server
• I can telnet to port 9997 on the server from the laptop
• I can telnet to port 8089 on the laptop from server

Logic is I got good connectivity via ip or dns. So this has to be some config logic I am missing.

Can anyone offer some direction on what load of doc's I must be not finding? Its can't be this freakin hard to make a client to talk to the indexer with a UF? Right? (stumped)