Re: Unable to add more sources to Universal Forwar...

yossefn · ‎01-18-2018

Hi,

I'm pretty new in the Splunk field.
I've installed a little environment of Splunk on virtual machine and Universal Forwarder on my own machine (both are windows).
When I'm trying to add more sources to the Forwarder such as log file, I can see the changes in the App's inputs.conf file but there are now events getting in to the system. I did a restart to the splunkd service on my machine and didn't help.
What I'm missing here?

HiroshiSatoh · ‎01-18-2018

Can I search Forwarder's system log?
If you can not find it, it's a problem with the network or outputs.conf.
If you can search it is a problem with inputs.conf.
Mistakes in setting, differences in character codes, etc. can be assumed.

davpx · ‎01-18-2018

would you mind posting the inputs.conf stanza you are using?

yossefn · ‎01-22-2018

Hi davpx,

Here is what I have in the inputs.conf file under "C:\Program Files\Splunk\etc\system\local"
This is the one you're looking for?

[default]
host = S0011
index = mypc

skoelpin · ‎01-18-2018

You should check out /opt/splunkforwarder/var/log/splunk/splunkd.log for errors

yossefn · ‎01-22-2018

Hi skoelpin,

The attached error are appears many times in the splunkd.log file

ERROR KVStorageProvider - An error occurred during the last operation ('saveBatchData', domain: '11', code: '22'): Cannot do an empty bulk write

Unable to add more sources to Universal Forwarder

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...