- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk Forwarder and Receiver Problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to setup a system where I need to get data from my storage server - Y onto splunk instance running on different server, we name it X. The only way ( probably ) i can access Y is to mount it on server X. Once mounted i can access data on server Y.
Now as far as I understood the process, I need to install splunk forwarder on server Y so that I can receive data on my splunk receiver which is on server X. But i am really stuck with how i can install/deploy splunk forwarder on server Y with access only from server X.
Please help me clarify points from above which possibly you did not understand.
Mehal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can mount the storage from Y onto X, you don't need to install a forwarder on Y. Just setup the mount properly so there's a file system path on X that can be used for accessing Y's storage, then setup your forwarder on X to monitor that path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can mount the storage from Y onto X, you don't need to install a forwarder on Y. Just setup the mount properly so there's a file system path on X that can be used for accessing Y's storage, then setup your forwarder on X to monitor that path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I tried following that but doesn't helping me much.
I did below to inputs.conf and outputs.conf files :
In SplunkForwarder:
I edited outputs.conf with following
[monitor://mnt/cloudstorage/unzipped_data]
_TCP_ROUTING = *
index = _internal
sourcetype=airtime_csv
edited inputs.conf with following
[tcpout:splunkindexer]
server = ipaddress:9997
In Splunk:
I edited outputs.conf with following
Edited inputs.conf with below
[splunktcp:9997]
and nothing for outputs.conf
But not working out.Also do we change above files in /etc/system/local directory or /etc/system/default directory ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's covered pretty well in the docs, so my suggestion is for you to have a look there, and if you encounter any specific issues you're free to ask questions here on splunkbase.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ayn,
I mounted storage with following command.
mount -t cifs //hostname/dirc /mnt/dirname -o user=user,pass=pass
Also, I tried installing forwarder on X and did something with outputs.conf and inputs.conf but that doesn't seem to help either. Considering i mounted drive correctly can you help me out with configuring output.conf and input.conf files of forwarder and receiver. ?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
