Getting Data In

Universal Forwarder on Windows

pfabrizi
Path Finder

I am testing install of universal forwarder for windows. I am running 6.5.1 enterprise splunk but the universal forwarder I installed on windows is 6.6.2.

I get these errors:
is a compatibility issue?

8-21-2017 13:16:00.593 -0400 WARN TcpOutputFd - Connect to 10.83.180.135:9997 failed. A socket operation was attempted to an unreachable network.

8-21-2017 13:16:00.593 -0400 ERROR TcpOutputFd - Connection to host=10.83.180.135:9997 failed

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

It's not a compatibility issue, it's an issue with your forwarder connecting to your indexer. Did you enable receiving on the indexer? If not, go to Settings > Forwarding & Receiving > Enable Receiving and add port 9997 to listen

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

It's not a compatibility issue, it's an issue with your forwarder connecting to your indexer. Did you enable receiving on the indexer? If not, go to Settings > Forwarding & Receiving > Enable Receiving and add port 9997 to listen

0 Karma

pfabrizi
Path Finder

so I have it forwarding now, I was missing an inputs.conf configuration. It was out of box default, I guess.

what I do have a question is the folder structure.

My other Windows server has as custom configuration folder, that I think was pushed to it from the deployment server?

I am not really sure since we had a consultant set all this up and I haven't had any training to date.

0 Karma

tmarlette
Motivator

You will likely need some training my friend. I suggest the administration course. Check here:
https://www.splunk.com/view/SP-CAAAAH9?ac=News_Feb09_EDU

the only folders that override /$SPLUNK_HOME/etc/apps/ are
$SPLUNK_HOME/etc/system/

also, there should never be a reason to touch /etc/system/default. bad things can happen if you mess up there and there's no fall back. you changed the right one in /etc/system/local. Always make changes there.

if you have conflicting configurations, it's common that there's something in /etc/system/local.

folder priority is a pretty dense topic with splunk, and depends heavily on your architecture.

Also... if you manipulated your forwarder manually, you may want to check others for a deploymentclient.conf file somewhere either in /etc/system/apps/ OR in /etc/system/local.

If you're using a DS, there is a default configuration ANY windows forwarder will pull down as soon as it connects.

0 Karma

pfabrizi
Path Finder

I have other windows servers sending on 9997. I do have a question on which outputs.conf gets used.
I have 3 of them.

etc\apps\splunkuniversalforwarder\default
etc\system\default
etc\system\local - this is the one I changed.

where should it be?

Thanks!

0 Karma

tmarlette
Motivator

using a few assumptions, i'm going to guess that 10.83.180.135 is your indexer? (port 9997 is the default data port)

If that's the case, there's a connectivity issue between the two machines. Try telnet tests / ssh tests and resolve as a standard connectivity issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...