Re: Why am I unable to get data from the forwarder...

sapq · ‎11-30-2018

Hi Team,

I have installed the 6.4.3 version of the universal forwarder on a Windows server 2012. But i am unable to get the server data from the forwarder to the Spunk application.

Below are the details of the data present in the three configuration files.

output.conf
[tcpout]
default=autolb-group
[tcpout-server://gmwcnappv00586.gdc0.chevron.net:9997]

inputs.conf
[default]
host = gmwcnappv00150

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

I need the data from the forwarder server gmwcnappv00586 to be reflected in the splunk application server gmwcnappv00150
Kindly let me know the comment as earliest

Thanks
Sanket Panchal

skalliger · ‎11-30-2018

Hi,

you're missing an inputs.conf stanza for a Universal Forwarder sending to your indexer.
Something like this:

 [splunktcp:9997]
 compressed = true
 disabled = 0
 connection_host = none

You could also write:

[splunktcp://gmwcnappv00150:9997]

if gmwcnappv00150 is your UF.

Did that help?

Skalli

Edit: typo

Why am I unable to get data from the forwarder to the Splunk application?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation