- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Unable to get data into Splunk Cloud
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. I have installed universal forwarder and have a Splunk cloud account.
2. On the laptop in universal forwarder, i downloaded the file and execute the command: /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.
3. I restart the splunk process.
No data went in, may I know why?
Note: I am trying to forward the Windows event log which is the same host where i installed the Splunk universal forwarder
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.
If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. I have installed universal forwarder and have a Splunk cloud account.
2. Installed Splunk using this command /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.
3. restarted to get changes into effect.
no logs in Splunk cloud
index= "*" found nothing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This question already has a solution. Please post a new question with details about your problem.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In splunk cloud, I went to Apps -> Browse more apps
Enter windows
Installed Splunk Add-On for Microsoft Windows
After that, the data was parsed correctly, can mark this as solved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Splunk cloud:
To set up the Universal Forwarder:
- Download the Splunk universal forwarder.
- Install the universal forwarder on one or more machines in your network.
- Download your customized universal forwarder credentials package.
- Install the universal forwarder credentials package on each universal forwarder in your network.
- Configure your universal forwarders to send data to the Splunk platform.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see the forwarder's internal logs in Splunk Cloud? If so, then either no inputs are enabled or Splunk is unable to read the input. Check the logs for details.
If you don't see the forwarder's internal logs in Splunk Cloud then there's a problem connecting. Check the UF's logs locally for details.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't I skip step 4 & 5 and go straight towards install the Splunk universal forwarder?
In the splunk forwarder I see,
12-02-2021 22:26:21.612 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:26:41.414 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:26:52.019 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:11.318 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:22.282 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:41.208 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:51.500 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:11.073 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:21.782 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:40.951 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:52.022 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:10.804 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:22.164 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:40.691 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:52.369 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.
If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.
r. Ismo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added inputs.conf in
C:\Program Files\SplunkUniversalForwarder\etc\apps\100_prd-p-gvnkg_splunkcloud\local
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=true
index=winevent
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent
I saw some application logs inside, but seems like they did not parse correctly. I go ahead and install the Windows add-on app on the Splunk cloud?
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
