Getting Data In
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

One more question, sorry but I have two servers that I need to keep track of, and I am following the same steps for the other server but I am not seeing it get picked up from sandbox. Would I just need to do apply the same settings, or is there something extra that needs to be done when trying to track two servers at once?

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

sorry it just took awhile 🙂 showed up

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

The same configuration steps should work without any additional changes to the sandbox. Of course you might want do specify a different default host in your inputs.conf so that you can tell the hosts apart. Don't forget to install the credentials app on the additional forwarder.

If you found my answer/comments helpful please accept the answer and/or give points. Thanks, I am glad you were able to get it working.

0 Karma
Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

I've also tried to get this going myself since I am seeing a lot of similar questions from folks having problems. For one thing, I learned that the sandbox server needs to have input- appended to the hostname in order to actually connect to the correct IP. After you get this far, you will probably see as I did that your connection to sandbox gets reset, this appears to be because splunk has made some changes to make this "easier". There are apparently some embedded credentials in a special forwarder package which need to be used. I guess this is not going to work for the universal forwarder that I installed on my Raspberry Pi. Hopefully they will improve the documentation as there is nothing to guide even experienced splunk users to getting this connection to work manually. See the last comment on this question for a clue about why so many might be having issues with sandbox trial inputs:

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

Paraphrasing my above comment as an answer: If you are getting connection reset errors like I am from my Raspberry Pi Universal Forwarder, it would appear that there have been some changes made involving authenticating external inputs. I found this by digging around and trying different options and not getting my connection to work, then seeing the last comment on this answers post:

http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

[excerpt]

"The answers given above were valid at the time of writing but recently we secured all data inputs with a unique SSL certificate and key for each instance so you cannot just manually add the config files and make it work anymore. You have to download the universal forwarder app which has the required credentials embedded."

EDIT: The following helped get this working!

  1. Log into your sandbox instance and click on Universal Forwarder from your launch page.
  2. Click on the button to download the cloud credentials.
  3. Install this as an app on your forwarder ( /opt/splunkforwarder/bin/splunk install app /PATH/TO/splunkcouduf.spl )
  4. Make sure your output is named splunkcloud in your outputs.conf - mine is below
  5. Restart splunk

    [tcpout]
    defaultGroup = splunkcloud

    [tcpout:splunkcloud]
    server = input-prd-p-MYSERVERID.cloud.splunk.com:9997

Highlighted

Re: What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Builder

Please note my edit at the end of my answer, it may help you.

0 Karma