Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ubuntu not shown up in Forwarder Management

Tybe
Engager
‎12-15-2023 08:24 AM

Hello everybody 😀

I'm new here and recently I created this : 

  • Ubuntu : splunk server
  • Ubuntu : splunk forwarder 
  • Windows 10 : splunk forwarder 

I followed the Splunk How-To video for ubuntu splunkfwd : https://www.youtube.com/watch?v=rs6q28xUd-o&t=191s

I can see my host in data summary but not in the Forwarder Management : how could you explain it ? I'm thinking about permission maybe so here is : 

Tybe_0-1702657245108.png

I also add a deploymentclient.conf in : 

 

/opt/splunkforwarder/etc/system/local/
nano deploymentclient.conf 
[deployment-client]



[target-broker:deploymentServer]



targetUri = 192.ipfromserver:8089

 

Have a great evening 

Labels (2)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-15-2023 01:55 PM

well, this requires some testing to find out whether this is really an issue. 

if yes, then, my view is... the forwarder mgmt in DMC works as per its design. it may have some "frequency" of when to read and load the fwders info. at times some "small delay" is accepted. 

if no, then, may we know, your splunk version details pls. could you pls suggest what delay you felt.. i will try to find more details for you. 

thanks for learning splunk. have a great day! 

Reply

Tybe
Engager
‎02-09-2024 12:58 AM

Hello @inventsekar ,

 

Thanks for replying ! 

Here is the info : 

Splunk Enterprise
Version : 8.2.4

Delay : around 10min

Kind regards 🙂

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-09-2024 02:04 AM

Hi

Some comments even this is a old post.

DMC/MC (if you have configured forwarders there) shows all nodes which have sent any _internal log events to indexers were MC will look those periodically and create a lookup file for them. Basically this means that until those events are in _internal log you will see those in MC forwarder dashboard.

I think that DS's forwarder management use REST request from clients (DC) to keep book what DCs are active. Actually this means that until DC make a poll DS didn't know it. This same will happen always after you 1) reboot splunk and/or you reload deploy-config after changes. The "missing time" will depends on how often your clients are polling DS. Default is 1min

phoneHomeIntervalInSecs = <decimal>
* How frequently, in seconds, this deployment client should
  check for new content.
* Fractional seconds are allowed.
* Default: 60.

Depending on your environment you could/should increase this to e.g. 5min.

Another thing. You should never use system/local to store any configuration (there are some exceptions). Especially for DC configurations should be under own app. That way you can manage those via DS instead of managing those locally.

r. Ismo

0 Karma
Reply

Tybe
Engager
‎12-15-2023 08:31 AM

As I posted this question my ubuntu forwarder appeared ! Anyone here could explain me why it seems linux forwarder took longer than windows to appeared ? 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...