Getting Data In

Splunk Universal Forwarder configuration help

keri_ahlgren
New Member

I want to monitor a file on MachineA. I configured a universal forwarder on this machine, to send to MachineB. On MachineB, I can see MachineA in the forwarder connections using Deployment Monitor. However, I am at a loss on how to actually see what data is being sent.

The universal forwarder was configured with the following commands:
./splunk monitor /tmp/splunktest/test_current (test_current is the file I wish to monitor)

What do I need to do on MachineB to actually see the data? I tried "Add data" but can't figure out which option to choose.

Thanks!

0 Karma

gdavid
Path Finder

i'm somewhat new to splunk but i'll try to help till someone else gives a better answer.

MachineA should have the input configured to monitor a file
http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf

MachineA should also have the outputs configured to push the data to MachineB
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

This forward should be a 'Splunk Forward'

MachineB should be set to receive the data
usually defaults to: [splunktcp://9997]

now you mention deployment monitor, thats a different beast. if you are using a deployment server [MachineB], you have to create/modify $SPLUNK_HOME/etc/system/local/serverclass.conf on MachineB
serverclass.conf tells the deployment server which folders under /deployment-apps/ it should push to which clients.

and drop your configs for input into a folder inside of (default location) {MachineB]
$SPLUNK_HOME/etc/deployment-apps/
ex:
$SPLUNK_HOME/etc/deployment-apps/MyInputForMachineA/default/inputs.conf

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuredeploymentclients

not sure at your splunk level but your scope here is quite large. i would start at manually configuring the input, forwarder and receiver. then move onto deployment server/monitor.

0 Karma

gdavid
Path Finder

not sure about the deployment monitor for that use.

however your other setup sounds about right. i would restart splunkd service on the forwarder, take a look at the /var/log/splunkd.log, it will provide a lot of useful information about what is going on.

0 Karma

keri_ahlgren
New Member

Hmm, I had read that I could use the Deployment Monitor just to see if the forwarders were reporting in. I don't particularly need to actually use it to deploy anything (I think).

I believe I already have MachineB set up to receive the data. I added a receiver using the Manage menu. Once I configure the outputs.conf, do I need to do anything else on either machine, or will I be able to see the data in the Splunk server?

Thanks!

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...