Getting Data In

Splunk forwarder issue after installation in Windows

briansarmiento
Explorer

Hi all,

I'm having several issues after installing Splunk Forwarder on Any Win10 Device. (Win 10, Win Server 2012,2016).

I'm using the following line:

msiexec.exe /i splunkforwarder-7.3.4.msi FORWARD_SERVER="ADDserver:9991" WINEVENTLOG_SEC_ENABLE=0 WINEVENTLOG_SYS_ENABLE=0 SPLUNKPASSWORD=*Password* /L*v logfile.txt LAUNCHSPLUNK=1 SERVICESTARTTYPE=auto AGREETOLICENSE=yes /quiet

The App gets installed and but no Logs packages are sent to the Server, The netstat command doesn't show me any: 9991 port connection.
I've done the confirmation using "sc query SplunkForwarder" and the service is running, but again no log gets to be sent to my Splunk Console (Server).

Help please, I'll provide any information you want to know. Or that I'm missing

0 Karma
1 Solution

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @briansarmiento,

The property to set to specify an indexer for the UF is RECEIVING_INDEXER, not FORWARD_SERVER. Please see here: https://docs.splunk.com/Documentation/Forwarder/7.3.4/Forwarder/InstallaWindowsuniversalforwarderfro...

Cheers,

- Jo.

View solution in original post

jhornsby_splunk
Splunk Employee
Splunk Employee

Hi @briansarmiento,

The property to set to specify an indexer for the UF is RECEIVING_INDEXER, not FORWARD_SERVER. Please see here: https://docs.splunk.com/Documentation/Forwarder/7.3.4/Forwarder/InstallaWindowsuniversalforwarderfro...

Cheers,

- Jo.

MuS
SplunkTrust
SplunkTrust

Hi brainsarmiento,

assuming you ran the netstat on the nix indexer to check port 9991 - that might sound like a networking/routing/firewall issue.
Here is also a good troubleshooting guide https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata if it's not related to connectivity.

Hope this helps ...

cheers, MuS

briansarmiento
Explorer

Hi MuS,

how can I confirm its a Firewall issue?, Cause all of my infrastructure its connected to LAN.

0 Karma

MuS
SplunkTrust
SplunkTrust

Login to one server that runs the universal forwarder and run a telnet ADDserver 9991 and see if you get a connection established or a timeout.

cheers, MuS

Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...