Getting Data In

Splunk Universal Forwarder configuration help

keri_ahlgren
New Member

I want to monitor a file on MachineA. I configured a universal forwarder on this machine, to send to MachineB. On MachineB, I can see MachineA in the forwarder connections using Deployment Monitor. However, I am at a loss on how to actually see what data is being sent.

The universal forwarder was configured with the following commands:
./splunk monitor /tmp/splunktest/test_current (test_current is the file I wish to monitor)

What do I need to do on MachineB to actually see the data? I tried "Add data" but can't figure out which option to choose.

Thanks!

0 Karma

gdavid
Path Finder

i'm somewhat new to splunk but i'll try to help till someone else gives a better answer.

MachineA should have the input configured to monitor a file
http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf

MachineA should also have the outputs configured to push the data to MachineB
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

This forward should be a 'Splunk Forward'

MachineB should be set to receive the data
usually defaults to: [splunktcp://9997]

now you mention deployment monitor, thats a different beast. if you are using a deployment server [MachineB], you have to create/modify $SPLUNK_HOME/etc/system/local/serverclass.conf on MachineB
serverclass.conf tells the deployment server which folders under /deployment-apps/ it should push to which clients.

and drop your configs for input into a folder inside of (default location) {MachineB]
$SPLUNK_HOME/etc/deployment-apps/
ex:
$SPLUNK_HOME/etc/deployment-apps/MyInputForMachineA/default/inputs.conf

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuredeploymentclients

not sure at your splunk level but your scope here is quite large. i would start at manually configuring the input, forwarder and receiver. then move onto deployment server/monitor.

0 Karma

gdavid
Path Finder

not sure about the deployment monitor for that use.

however your other setup sounds about right. i would restart splunkd service on the forwarder, take a look at the /var/log/splunkd.log, it will provide a lot of useful information about what is going on.

0 Karma

keri_ahlgren
New Member

Hmm, I had read that I could use the Deployment Monitor just to see if the forwarders were reporting in. I don't particularly need to actually use it to deploy anything (I think).

I believe I already have MachineB set up to receive the data. I added a receiver using the Manage menu. Once I configure the outputs.conf, do I need to do anything else on either machine, or will I be able to see the data in the Splunk server?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...