Getting Data In

Splunk Forwarder

jangid
Builder

Hi I am trying to evaluate Splunk to monitor log (simple txt format) from directory.
I am able to setup everything in my local Windows Server 2008 R2 machine and I can see my log data.

Now I want to see log from remote machine [Windows 7], I have installed Splunk forwarder [splunkforwarder-4.3.2-123586-x64-release.msi] and set the required informations all ports are default according to documentation.

Now question is How to test my forwarder, I have search in KB but its very hard to understand in most of the cases "How To" information is missing.

I tried according to this thread http://splunk-base.splunk.com/answers/41307/splunk-forwarder
but no luck.

[From Splunk Documentation]
1. Test the results to confirm that forwarding, along with any configured behaviors like load balancing or routing, is occurring as expected.

How to test???
How to and where to configure???

Using Network Monitor I can see forwarder is sending data and my server receiving data.
but I can't see in Splunk UI.

Is there any way how to see the remote data and Host in Splunk UI? How to add multiple forwarder in Splunk?

Thanks in advance

Manoj

Tags (1)
0 Karma
1 Solution

mikelanghorst
Motivator

Did you specify during install to monitor anything? For the windows installer it will ask, but for the *nix installs it doesn't actually monitor anything outside of itself. I've seen that happen to quite a few new users that come into the #splunk IRC channel.

To verify what you are monitoring on the forwarder, you can run the following from a command window: splunk cmd btool inputs list --debug

This will show you every input, along with what app is implementing it.

Also, you can search the _internal index for data by adding: index=_internal to your search.

View solution in original post

mikelanghorst
Motivator

Did you specify during install to monitor anything? For the windows installer it will ask, but for the *nix installs it doesn't actually monitor anything outside of itself. I've seen that happen to quite a few new users that come into the #splunk IRC channel.

To verify what you are monitoring on the forwarder, you can run the following from a command window: splunk cmd btool inputs list --debug

This will show you every input, along with what app is implementing it.

Also, you can search the _internal index for data by adding: index=_internal to your search.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...