Getting Data In

Unable to get data into Splunk Cloud

z080236
Explorer

1. I have installed universal forwarder and have a Splunk cloud account.

2. On the laptop in universal forwarder, i downloaded the file and execute the command:  /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.

3. I restart the splunk process.

 

No data went in, may I know why?

 

Note: I am trying to forward the Windows event log which is the same host where i installed the Splunk universal forwarder

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.

If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.

r. Ismo

View solution in original post

bharath-boppid
Loves-to-Learn Lots

1. I have installed universal forwarder and have a Splunk cloud account.

2. Installed Splunk using this command /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.

3. restarted to get changes into effect.

no logs in Splunk cloud

index= "*" found nothing

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This question already has a solution.  Please post a new question with details about your problem.

---
If this reply helps you, Karma would be appreciated.

z080236
Explorer

In splunk cloud, I went to Apps -> Browse more apps

Enter windows

Installed Splunk Add-On for Microsoft Windows

 

After that, the data was parsed correctly, can mark this as solved.

0 Karma

z080236
Explorer

From Splunk cloud:

To set up the Universal Forwarder:

  1. Download the Splunk universal forwarder.

    Splunk Downloads web page 

  2. Install the universal forwarder on one or more machines in your network.

    Installation Instructions 

  3. Download your customized universal forwarder credentials package.

    Download Universal Forwarder Credentials

  4. Install the universal forwarder credentials package on each universal forwarder in your network.

    Installation Instructions 

  5. Configure your universal forwarders to send data to the Splunk platform.

    Configure data inputs 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you see the forwarder's internal logs in Splunk Cloud?  If so, then either no inputs are enabled or Splunk is unable to read the input.  Check the logs for details.

If you don't see the forwarder's internal logs in Splunk Cloud then there's a problem connecting.  Check the UF's logs locally for details.

---
If this reply helps you, Karma would be appreciated.

z080236
Explorer

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Admin/WindowsGDI#Step_3:_Configure_indexe...

Can't I skip step 4 & 5 and go  straight towards install the Splunk universal forwarder?

 

In the splunk forwarder I see,

12-02-2021 22:26:21.612 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:26:41.414 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:26:52.019 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:11.318 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:22.282 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:41.208 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:51.500 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:11.073 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:21.782 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:40.951 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:52.022 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:10.804 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:22.164 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:40.691 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:52.369 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'

0 Karma

isoutamo
SplunkTrust
SplunkTrust

What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.

If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.

r. Ismo

z080236
Explorer

I added inputs.conf in 

C:\Program Files\SplunkUniversalForwarder\etc\apps\100_prd-p-gvnkg_splunkcloud\local

 

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent


[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=true
index=winevent

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent

 

 

I saw some application logs inside, but seems like they did not parse correctly. I go ahead and install the Windows add-on app on the Splunk cloud?

https://splunkbase.splunk.com/app/742/

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...