Getting Data In

Trouble getting the Windows universal forwarder to forward data

ShaunBaker
Path Finder

Hello all, I can't seem to get the windows universal forwarder to forward data.
- Splunk indexer (7.x.x) is on CentOS7, 8089 and 9997 open on firewall
- Latest Splunk forwarder installed on windows 10
- Did not go into customize on windows installer GUI, but did put the win event stanza from documentation into the forwarder inputs.conf (system local).
- opened 9997 data input in webui
- Turned off windows firewall for troubleshooting.
- Downloaded various windows apps/add-ons to splunk indexer thinking it was a deployment thing

What am I missing?

0 Karma

ShaunBaker
Path Finder

I have the splunk add-on for windows on the indexer, am I supposed to move it form apps to deployment apps so that it can be used for a server class?

0 Karma

mtulett_splunk
Splunk Employee
Splunk Employee

I've updated my answer with a link to the installation guide for universal forwarders.

You can place the Add-on in deployment apps, but you will need to configure the universal forwarder to poll the indexer for configuration, as well as creating a server class for the server (this can be achieved through conf files or the GUI).

I would suggest reading the 'About deployment server' documentation from the link in my answer if you are curious about this, as the topic is too large to properly cover in an answer here.

0 Karma

ShaunBaker
Path Finder

I think I got it working- I copied the windows add-on over to deployment-apps and already had the client showing up in forwarder manager, so created a server class, added the windows app and after a while the windows logs finally started rolling in.

0 Karma

mtulett_splunk
Splunk Employee
Splunk Employee

Great to hear!

0 Karma

mtulett_splunk
Splunk Employee
Splunk Employee

The Add-on has all the right configuration to ingest windows events. This needs to be installed on the universal forwarder so that the forwarder knows what information to push to the indexer.

Typically, a deployment server is used to push this configuration to the universal forwarders. You can read more about them here:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Updating/Aboutdeploymentserver

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...