Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder- Am I misunderstanding the UF?

socks
Loves-to-Learn Lots
‎10-07-2022 10:17 AM

Good Morning all ,

 I have a standalone splunk installation , there is no syslog data being transmitted and Im really not getting any data collected from the universal forwarded it is phoning home however i dont see any data from the linux server that it is installed on. I dont see any log modifications or anything . am i mis understanding the UF

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-07-2022 10:26 AM

Hi @socks,

let me better understand your architecture:

  • you have a stand alone Splunk on a linux server,
  • then you have a Universal Forwarder on another machine (not on the same) connected with the Splunk Server,
  • you don't see any data from the Universal Forwarder in the Splunk Server,

is it correct?

have you seen the documentation about getting data in from forwarders at https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents  ?

or https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-configure-a-Splunk-Forwarder-on-Linux/... 

Did you configured receinving in the Splunk Server [Settings -- Forwarding and Receiving -- Receiving]?

Did you configured your Universal Forwarder to send data to Splunk modifyng outputs.conf ?

https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Configuretheuniversalforwarder 

Did you configured inputs?

Ciao.

Giuseppe

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-07-2022 01:24 PM

Hi

here is instructions how to install UF and enable receiving on indexer (on all in one node). https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/Installanixuniversalforwarder

Your issue sounds like you haven’t configured any inputs! Have you any serverclasses and apps on your server side? Have you check that you have any internal logs from that node? Just check from MC or just wit SPL 

index=_internal host=<your UF> sourcetype=splunkd earliest=0

If you found any events then it can send events to  server. If not then probably  you are missing outputs.conf https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Outputsconf. Just add this to point your server and then internal events should found on server.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...