Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Universal Forwarder- Am I misunderstanding the UF?

socks
Loves-to-Learn Lots
‎10-07-2022 10:17 AM

Good Morning all ,

 I have a standalone splunk installation , there is no syslog data being transmitted and Im really not getting any data collected from the universal forwarded it is phoning home however i dont see any data from the linux server that it is installed on. I dont see any log modifications or anything . am i mis understanding the UF

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-07-2022 10:26 AM

Hi @socks,

let me better understand your architecture:

  • you have a stand alone Splunk on a linux server,
  • then you have a Universal Forwarder on another machine (not on the same) connected with the Splunk Server,
  • you don't see any data from the Universal Forwarder in the Splunk Server,

is it correct?

have you seen the documentation about getting data in from forwarders at https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents  ?

or https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-configure-a-Splunk-Forwarder-on-Linux/... 

Did you configured receinving in the Splunk Server [Settings -- Forwarding and Receiving -- Receiving]?

Did you configured your Universal Forwarder to send data to Splunk modifyng outputs.conf ?

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Configuretheuniversalforwarder 

Did you configured inputs?

Ciao.

Giuseppe

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-07-2022 01:24 PM

Hi

here is instructions how to install UF and enable receiving on indexer (on all in one node). https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installanixuniversalforwarder

Your issue sounds like you haven’t configured any inputs! Have you any serverclasses and apps on your server side? Have you check that you have any internal logs from that node? Just check from MC or just wit SPL 

index=_internal host=<your UF> sourcetype=splunkd earliest=0

If you found any events then it can send events to  server. If not then probably  you are missing outputs.conf https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Outputsconf. Just add this to point your server and then internal events should found on server.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...