Getting Data In

Splunk Cloud on-boarding logs

superuser88
Engager

Hello, I deployed a free trial of Splunk Cloud instance to learn how to onboard logs into Splunk. I tried for hours but I am still unable onboard logs.

Here is what I did...

  1. Spun up a Splunk Cloud instance (pretty straightforward).
  2. Downloaded the Splunk Universal Forwarder (pretty straightforward).
  3. Installed Splunk universal forwarder on my local windows machine
    1. Unchecked Splunk on-prem as this is a cloud instance.
    2. It asked to create a username and password, I created some crap login details and I don't know why these are for.
    3. I chose a local installation not network or domain.
    4. It asked for what logs do I need, I chose all except AD logs because mine is local.
    5. Now I asked for the location of the deployment server and port. I used my deployment server and left port blank as it takes 8089.
    6. Now I wasn't asked for any receiver server details here, which I say in youtube videos for others its asking for receiver server details.
    7. Now, click on the install button and installation is successful.

  4. Back to the Splunk cloud instance, I went to Data Inputs

  5. Choose Windows Events and added my workstation hostname in there (it's displaying in here).

  6. I picked to add to index main.

  7. Now it says all done, start searching.

I tried searching and nothing comes up in the server for index=main or host=myhostname

I tried going to the forwarding and receiving section and there there is the only an option for configuring forwarding but there are no receiving options.

Also, in my windows I went to C:\Program Files\SplunkUniversalForwarder\etc\system\local and there is no outputs.conf file here.

There are deploymentclient.conf, authentication.conf, server.conf and input.conf files but there is no outputs.conf.

Can anyone tell me what I have done wrong? Why am I not able to onboard my logs?

I also temporarily disabled my firewall to see if my firewall is blocking but that's not the case and I am able to telnet to the splunk cloud instance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That you weren't asked for received details means the forwarder doesn't know where to send data so there's no data for you to search. The fix is pretty straightforward.

Select the Universal Forwarder app from your Splunk Cloud search head. Click the green "Download..." button to download an app that will configure your forwarder to send to your cloud instance.

Expand the downloaded file and transfer the 100__splunkcloud_uf app to \Program Files\SplunkUniversalForwarder\etc\apps. Restart the forwarder. You should see data in your indexers in a few minutes.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

That you weren't asked for received details means the forwarder doesn't know where to send data so there's no data for you to search. The fix is pretty straightforward.

Select the Universal Forwarder app from your Splunk Cloud search head. Click the green "Download..." button to download an app that will configure your forwarder to send to your cloud instance.

Expand the downloaded file and transfer the 100__splunkcloud_uf app to \Program Files\SplunkUniversalForwarder\etc\apps. Restart the forwarder. You should see data in your indexers in a few minutes.

---
If this reply helps you, Karma would be appreciated.

superuser88
Engager

What I missed is running the command "splunk install app -auth :". After doing this it started working. Thanks for your help. 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...