Splunk Forwarder: Why is there no listing of the W...

Aus01 · ‎09-08-2023

I have installed the splunk forwarder on a Windows 10 VM and have splunk installed on a Debian VM. I have restarted the splunk forwarder on the Win10 VM but when i log into splunk enterprise on the Debian VM and go into Search & Reporting > Data Summary there is no listing of the Win10 VM in either hosts or source list.

Does anyone have any idea what i could be doing wrong or any suggestions of things i could try?

PickleRick · ‎09-09-2023

Just because you installed two components, doesn't mean they know how to talk to each other.

1. What version of Splunk did you install? (Splunk Free or Splunk Enterprise with a proper commercial or trial license)

2. Did you configure the UF on/after installation in any way?

gcusello · ‎09-08-2023

HI @Aus01,

the usual issue in this situations are the following:

did you enabled Receiving on the Splunk Enterprise VM [ Settings > Forwardring and Receiving > Receiving ]?
did you configured your Universal Forwarder to send logs to the Splunk Enterprise VM?
Did you disabled local firewall on the both the machines?
Ciao.

Giuseppe

Splunk Forwarder: Why is there no listing of the Win10 VM in either hosts or source list?

Linux

universal forwarder

Windows

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...