Getting Data In

Splunk Cloud on-boarding logs

superuser88
Engager

Hello, I deployed a free trial of Splunk Cloud instance to learn how to onboard logs into Splunk. I tried for hours but I am still unable onboard logs.

Here is what I did...

  1. Spun up a Splunk Cloud instance (pretty straightforward).
  2. Downloaded the Splunk Universal Forwarder (pretty straightforward).
  3. Installed Splunk universal forwarder on my local windows machine
    1. Unchecked Splunk on-prem as this is a cloud instance.
    2. It asked to create a username and password, I created some crap login details and I don't know why these are for.
    3. I chose a local installation not network or domain.
    4. It asked for what logs do I need, I chose all except AD logs because mine is local.
    5. Now I asked for the location of the deployment server and port. I used my deployment server and left port blank as it takes 8089.
    6. Now I wasn't asked for any receiver server details here, which I say in youtube videos for others its asking for receiver server details.
    7. Now, click on the install button and installation is successful.

  4. Back to the Splunk cloud instance, I went to Data Inputs

  5. Choose Windows Events and added my workstation hostname in there (it's displaying in here).

  6. I picked to add to index main.

  7. Now it says all done, start searching.

I tried searching and nothing comes up in the server for index=main or host=myhostname

I tried going to the forwarding and receiving section and there there is the only an option for configuring forwarding but there are no receiving options.

Also, in my windows I went to C:\Program Files\SplunkUniversalForwarder\etc\system\local and there is no outputs.conf file here.

There are deploymentclient.conf, authentication.conf, server.conf and input.conf files but there is no outputs.conf.

Can anyone tell me what I have done wrong? Why am I not able to onboard my logs?

I also temporarily disabled my firewall to see if my firewall is blocking but that's not the case and I am able to telnet to the splunk cloud instance.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That you weren't asked for received details means the forwarder doesn't know where to send data so there's no data for you to search. The fix is pretty straightforward.

Select the Universal Forwarder app from your Splunk Cloud search head. Click the green "Download..." button to download an app that will configure your forwarder to send to your cloud instance.

Expand the downloaded file and transfer the 100__splunkcloud_uf app to \Program Files\SplunkUniversalForwarder\etc\apps. Restart the forwarder. You should see data in your indexers in a few minutes.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

That you weren't asked for received details means the forwarder doesn't know where to send data so there's no data for you to search. The fix is pretty straightforward.

Select the Universal Forwarder app from your Splunk Cloud search head. Click the green "Download..." button to download an app that will configure your forwarder to send to your cloud instance.

Expand the downloaded file and transfer the 100__splunkcloud_uf app to \Program Files\SplunkUniversalForwarder\etc\apps. Restart the forwarder. You should see data in your indexers in a few minutes.

---
If this reply helps you, Karma would be appreciated.

superuser88
Engager

What I missed is running the command "splunk install app -auth :". After doing this it started working. Thanks for your help. 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...