Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to get data into Splunk Cloud

z080236
Explorer
‎12-02-2021 04:54 AM

1. I have installed universal forwarder and have a Splunk cloud account.

2. On the laptop in universal forwarder, i downloaded the file and execute the command:  /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.

3. I restart the splunk process.

 

No data went in, may I know why?

 

Note: I am trying to forward the Windows event log which is the same host where i installed the Splunk universal forwarder

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-02-2021 06:40 AM

What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.

If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

bharath-boppid
Loves-to-Learn Lots
‎04-06-2022 03:50 PM

1. I have installed universal forwarder and have a Splunk cloud account.

2. Installed Splunk using this command /opt/splunkforwarder/bin/splunk install app /tmp/splunkclouduf.spl.

3. restarted to get changes into effect.

no logs in Splunk cloud

index= "*" found nothing

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-06-2022 05:16 PM

This question already has a solution.  Please post a new question with details about your problem.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

z080236
Explorer
‎12-02-2021 07:06 AM

In splunk cloud, I went to Apps -> Browse more apps

Enter windows

Installed Splunk Add-On for Microsoft Windows

 

After that, the data was parsed correctly, can mark this as solved.

0 Karma
Reply
Solved! Jump to solution

z080236
Explorer
‎12-02-2021 06:39 AM

From Splunk cloud:

To set up the Universal Forwarder:

  1. Download the Splunk universal forwarder.

    Splunk Downloads web page 

  2. Install the universal forwarder on one or more machines in your network.

    Installation Instructions 

  3. Download your customized universal forwarder credentials package.

    Download Universal Forwarder Credentials

  4. Install the universal forwarder credentials package on each universal forwarder in your network.

    Installation Instructions 

  5. Configure your universal forwarders to send data to the Splunk platform.

    Configure data inputs 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-02-2021 05:21 AM

Do you see the forwarder's internal logs in Splunk Cloud?  If so, then either no inputs are enabled or Splunk is unable to read the input.  Check the logs for details.

If you don't see the forwarder's internal logs in Splunk Cloud then there's a problem connecting.  Check the UF's logs locally for details.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

z080236
Explorer
‎12-02-2021 06:30 AM

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2109/Admin/WindowsGDI#Step_3:_Configure_indexe...

Can't I skip step 4 & 5 and go  straight towards install the Splunk universal forwarder?

 

In the splunk forwarder I see,

12-02-2021 22:26:21.612 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:26:41.414 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:26:52.019 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:11.318 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:22.282 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:27:41.208 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:27:51.500 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:11.073 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:21.782 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:28:40.951 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:28:52.022 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:10.804 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:22.164 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'
12-02-2021 22:29:40.691 +0800 INFO AutoLoadBalancedConnectionStrategy [10792 TcpOutEloop] - Found currently active indexer. Connected to idx=54.83.75.76:9997, reuse=1.
12-02-2021 22:29:52.369 +0800 INFO TailReader [13912 tailreader0] - Batch input finished reading file='C:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log'

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎12-02-2021 06:40 AM

What you have gotten on step 7? If connection works then there should be some events which has come from your window workstation.

If/when you are skipping step 4&5 then there haven' teen configured any real inputs to your windows infra unless you add those manually on your UF hosts.

r. Ismo

Reply
Solved! Jump to solution

z080236
Explorer
‎12-02-2021 06:58 AM

I added inputs.conf in 

C:\Program Files\SplunkUniversalForwarder\etc\apps\100_prd-p-gvnkg_splunkcloud\local

 

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent


[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=true
index=winevent

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index=winevent

 

 

I saw some application logs inside, but seems like they did not parse correctly. I go ahead and install the Windows add-on app on the Splunk cloud?

https://splunkbase.splunk.com/app/742/

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
li.common.scroll-to.top