I want to monitor a file on MachineA. I configured a universal forwarder on this machine, to send to MachineB. On MachineB, I can see MachineA in the forwarder connections using Deployment Monitor. However, I am at a loss on how to actually see what data is being sent.
The universal forwarder was configured with the following commands:
./splunk monitor /tmp/splunktest/test_current (test_current is the file I wish to monitor)
What do I need to do on MachineB to actually see the data? I tried "Add data" but can't figure out which option to choose.
Thanks!
i'm somewhat new to splunk but i'll try to help till someone else gives a better answer.
MachineA should have the input configured to monitor a file
http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf
MachineA should also have the outputs configured to push the data to MachineB
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
This forward should be a 'Splunk Forward'
MachineB should be set to receive the data
usually defaults to: [splunktcp://9997]
now you mention deployment monitor, thats a different beast. if you are using a deployment server [MachineB], you have to create/modify $SPLUNK_HOME/etc/system/local/serverclass.conf on MachineB
serverclass.conf tells the deployment server which folders under /deployment-apps/ it should push to which clients.
and drop your configs for input into a folder inside of (default location) {MachineB]
$SPLUNK_HOME/etc/deployment-apps/
ex:
$SPLUNK_HOME/etc/deployment-apps/MyInputForMachineA/default/inputs.conf
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuredeploymentclients
not sure at your splunk level but your scope here is quite large. i would start at manually configuring the input, forwarder and receiver. then move onto deployment server/monitor.
not sure about the deployment monitor for that use.
however your other setup sounds about right. i would restart splunkd service on the forwarder, take a look at the /var/log/splunkd.log, it will provide a lot of useful information about what is going on.
Hmm, I had read that I could use the Deployment Monitor just to see if the forwarders were reporting in. I don't particularly need to actually use it to deploy anything (I think).
I believe I already have MachineB set up to receive the data. I added a receiver using the Manage menu. Once I configure the outputs.conf, do I need to do anything else on either machine, or will I be able to see the data in the Splunk server?
Thanks!