I installed the forwarder on Linux VM and I'm trying to establish a connection between indexer and forwarder, but was unable to do that. When i was trying to start forwarder, the command is not working and don't know why ? - (./splunk start)
You need to be in the bin
directory to start the Splunk forwarder
Go to /opt/splunkforwarder/bin
and execute ./splunk start
or do it all in a one liner like /opt/splunkforwarder/bin/splunk start
at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux.
You need to be in the bin
directory to start the Splunk forwarder
Go to /opt/splunkforwarder/bin
and execute ./splunk start
or do it all in a one liner like /opt/splunkforwarder/bin/splunk start
I have done that, i was just checking the status of the splunk and want to try
ping myipaddress --- just want to check the connection between forwarder and indexer
and want to try command---- splunk add forward -server myipaddress:9997
but im stopping at this point itself ..
[user@localhost bin]$ ./splunk start
splunkd 7002 was not running.
Stopping splunk helpers...
[ OK ]
Done.
Stopped helpers.
Removing stale pid file... done.
Splunk> Another one.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[ OK ]
[user@localhost bin]$ splunk status
bash: splunk: command not found...
You should also do a telnet from your forwarder to the indexer to verify your not getting blocked by a firewall
Install telnet
sudo yum install telnet
Once installed run this
telnet INDEXER_IP 9997
It should successfully connect
Im getting this error while trying to run that command :
[user@localhost bin]$ sudo yum install telnet
[sudo] password for user :
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There are no enabled repos.
Run "yum repolist all" to see the repos you have.
You can enable repos with yum-config-manager --enable
This is more of a RHEL issue than Splunk, but it looks like you have a bad date or time on your system. You may also not have the subscription registered
What do you get when you run ./splunk status
while in the /opt/splunkforwarder/bin
directory?
[user@localhost bin]$ ./splunk status
splunkd is running (PID: 4365).
splunk helpers are running (PIDs: 4376).
at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux. I was trying to edit the outputs.conf file but its bit different from windows one I think ....!!
i was trying to add a folder to forwarder to read data but its giving me an error ..as your session is invalid. please login.
[root@localhost bin]# ./splunk add monitor /home/user/Desktop/Forward_Data -index my_db
Your session is invalid. Please login.
That's standard, the default creds for the forwarder are
user = admin
password = changeme
Once you enter this info, the forwarder will be added
I have tried that login credentials but its not working either,
and the forwarder is added already i jus want to send the data form forwarder to indexer
so im trying to add folder to forwarder to monitor the data
Reach out to me privately or start a new question for more info
[user@localhost bin]$ yum repolist all
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
repolist: 0
You're in the bin
directory already so the command should look like this..
./splunk status
If you weren't in the bin direcotry then it would look like this
/opt/splunkforwarder/bin/splunk status
this helped me ..
Feel free to upvote if it helped 🙂