Getting Data In

What am I missing to get a successful connection between my Universal Forwarder and the sandbox?

Path Finder

I followed the tutorial very carefully on setting up the forwarder on my two Tomcat servers. Now I am trying to verify that I can actually receive data from my catalina logs to my sandbox. When I go to 'Add Data', and click on 'forward' it gives me the notice: "There are currently no forwarders configured as deployment clients to this instance." But at the top of my screen I get another notice stating that: "Forwarding to indexer group default-autolb-group blocked for 1200 seconds.", which 'default-autolb-group' is the defaultGroup in my /opt/splunkforwarder/etc/system/local/output.conf file. I think that I am close on getting a connection but I am missing some step to complete it. Can someone help me on what I missing to verify a successful connection?

Also, my inputs.conf file only has the ip address of my server; do I need to put information about my catalina log file and if so what is the format, thanks!

Path Finder

lol man that was an experience, but every time i do a query i get these flags:

Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
The limit has been reached for log messages in info.csv. 1 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '(?i)source::....zip(.\d+)?'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'ActiveDirectory'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'BoxAppForSplunkcontroller-toosmall'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'Linux:SELinuxConfig'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'PerformanceMonitor'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'SplunkTAaws-RestEndpoints-account-list-too_small'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinNetMonMk'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinNetMonMk'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinPrintMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinRegistry'.

0 Karma

Path Finder

The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinWinHostMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '_singleline'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '
json'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'accesscombined'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access
combinedwcookie'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access
common'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'aixsecure'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda
syslog'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'apacheerror'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'asterisk
cdr'.

0 Karma

Path Finder

are these errors from my connection or sandbox settings?

0 Karma

Builder

This is something missing/misconfigured on your sandbox. Did you install any additional apps to your sandbox?

This sounds like a topic for a new question 😉

0 Karma

Path Finder

One more question, sorry but I have two servers that I need to keep track of, and I am following the same steps for the other server but I am not seeing it get picked up from sandbox. Would I just need to do apply the same settings, or is there something extra that needs to be done when trying to track two servers at once?

0 Karma

Builder

The same configuration steps should work without any additional changes to the sandbox. Of course you might want do specify a different default host in your inputs.conf so that you can tell the hosts apart. Don't forget to install the credentials app on the additional forwarder.

If you found my answer/comments helpful please accept the answer and/or give points. Thanks, I am glad you were able to get it working.

0 Karma

Path Finder

sorry it just took awhile 🙂 showed up

0 Karma

Path Finder

Yea, I installed sandbox for linux and unix but stopped with the process when I saw the (optional) on the step number from one of the forum questions you sent me, ill ask how to get rid of that, but thanks again for all your help!

0 Karma

Path Finder

no it exists, but I have to change permission

0 Karma

Path Finder

01-09-2015 19:40:02.418 +0000 INFO ServerConfig - Will generate GUID, as none found on this server.
01-09-2015 19:40:02.418 +0000 INFO ServerConfig - My newly generated GUID is C0A9901E-8B38-4435-8677-2DA23C1595EA
01-09-2015 19:40:02.419 +0000 INFO ServerConfig - My server name is "ip-172-31-35-141".
01-09-2015 19:40:02.419 +0000 INFO ServerConfig - Found no site defined in server.conf
01-09-2015 19:40:02.419 +0000 INFO ServerConfig - My hostname is "ip-172-31-35-141".
01-09-2015 19:40:02.452 +0000 INFO ServerConfig - Setting HTTP server compression state=on
01-09-2015 19:40:02.452 +0000 INFO ServerConfig - Setting HTTP client compression state=0 (false)
01-09-2015 19:40:02.452 +0000 INFO ServerConfig - Default output queue for file-based input: parsingQueue.
01-09-2015 19:40:02.481 +0000 INFO LicenseMgr - Initing LicenseMgr
01-09-2015 19:40:02.481 +0000 INFO LMConfig - serverName=ip-172-31-35-141 guid=C0A9901E-8B38-4435-8677-2DA23C1595EA
01-09-2015 19:40:02.481 +0000 INFO LMConfig - connectiontimeout=30
01-09-2015 19:40:02.481 +0000 INFO LMConfig - send
timeout=30
01-09-2015 19:40:02.481 +0000 INFO LMConfig - receivetimeout=30
01-09-2015 19:40:02.481 +0000 INFO LMConfig - squash
threshold=2000
01-09-2015 19:40:02.481 +0000 INFO LMConfig - strictpoolquota=1
01-09-2015 19:40:02.481 +0000 INFO LMConfig - key=pool_suggestion not found in licenser stanza of server.conf, defaulting=''

0 Karma

Builder

Hello, that looks like pretty normal startup stuff. I would look at near the end of the log for anything relating to the monitor you set up. It looks like your forwarding connection is okay based on the list forward-servers output.

0 Karma

Path Finder

and it appears that I cant access my splunkd.logs from my forwarder

0 Karma

Builder

Sorry missed this. Do not have administrative access to this system or are you just not finding the log?

0 Karma

Builder

SPLUNKHOME/var/log/splunk/splunkd.logs

On *nix home is usually /opt/splunkforwarder and on windows it would be under Program Files/splunkforwarder

0 Karma

Path Finder

and if my inputs.conf file isn't correctly setup with a monitor, would that be the reason why I am still not picking up the forwarder?

0 Karma