I have installed a universal forwarder on a Windows server, choosing to forward some of the Windows event logs, and then installed the credentials using the following command:
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe install app C:\splunkclouduf.spl -auth admin:changeme
I then received a message in my instance that stated "splunk received event for unconfigured/disabled/deleted index=‘wineventlog’" so I created an appropriate index named wineventlog.
However, I am sill unable to create a 'Data Input' for 'Windows Event Logs', I always receive the message "There are currently no forwarders configured as deployment clients to this instance". I'm not sure why this is, as clearly the universal forwarder on my server is sending data to my Splunk cloud instance, otherwise I would never have received the message regarding the missing index.
I have found the majority of the Splunk documentation to be very outdated, many dead links to documentation that no longer exists or has been moved, screenshots that no longer match either the universal forwarder installer OR the Splunk Cloud interface. I'm probably missing something really silly here, I've read over lots of previous questions stating that something is missing from outputs.conf or there may be a missing deploymentclient.conf file. I have tried running:
splunk.exe set deploy-poll
In handler 'deploymentclient': No configuration change made.
This is a standalone Splunk Cloud instance. I am still unable to create a 'Data Input' for 'Windows Event Logs', although I can now see that there is data in the wineventlog index I created earlier (although I can't search it).
Thanks in advance,
I’m the Spunk Light technical writer, and I wrote detailed steps for the deploy-poll command. Try the steps below as it should solve your issue. Disregard the reference to Spunk Light, as it should work the same for Spunk Cloud. I’m not sure what your management port is, but the default is 8089.
Did you install the universal forwarder using the CLI, or using the installation wizard? Typically, the installation wizard has a configure as a Deployment Server screen that should configure this deploy-poll command for you.
Configure the universal forwarder to be a deployment client
Configure the universal forwarder to be a ''deployment client''. This allows you to configure data inputs on the universal forwarder from the Splunk Light cloud service, which is also the ''deployment server''.
a. Register the universal forwarder as a deployment client of the Splunk Light cloud service. From $SPLUNK_HOME\bin, enter the following command:
.\splunk set deploy-poll input-Splunk Light cloud service hostname:mgmtPort
For example, .\splunk set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089
b. Restart the universal forwarder.
This can take up to 15 minutes as the Splunk Light cloud service updates.
If these steps do not solve your issue, let me know and I can talk to the other technical writers to help get you the correct information.
Senior Technical Writer
Thanks so much for your answer! I can confirm that running the following command does indeed fix the issue for me:
splunk.exe set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089
I did install the universal forwarder using the installation wizard, and I did see the 'Deployment Server' screen. However I think the wording on that screen threw me a little. It wasn't clear to me that I had to enter my Splunk instance details in order to configure the universal forwarder to actually be a ''deployment client''. I may have even tried to enter my instance details, but missed off the 'input-' part of the URL. Again, I couldn't see any specific instructions in the documentation for this, and I may have incorrectly assumed that this would be handled as part of installing the credentials (splunkclouduf.spl), as after performing this step I checked the configuration files and could see what I thought were the correct URL's in the correct places in these files.
Thanks so much for your help, much appreciated!
Great James! So glad this info worked for you!
I will pass along your input to product management and the documentation team, as we are working on updates to the universal forwarder installers and documentation to make sure the situation you ran into doesn't happen.
All the best...and happy Splunking!
This solved my issue as well. As someone who just started a Splunk cloud trial I found it very frustrating that this step isn't mentioned anywhere in the initial setup documentation.
Honestly why is this manual step even necessary? It seems like the installer should be able to take care of this.
As James mentioned, I'm finding the documentation to be very outdated and full of links to old information.