Why am I unable to get data from the forwarder to ...

sapq · ‎11-30-2018

Hi Team,

I have installed the 6.4.3 version of the universal forwarder on a Windows server 2012. But i am unable to get the server data from the forwarder to the Spunk application.

Below are the details of the data present in the three configuration files.

output.conf
[tcpout]
default=autolb-group
[tcpout-server://gmwcnappv00586.gdc0.chevron.net:9997]

inputs.conf
[default]
host = gmwcnappv00150

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

I need the data from the forwarder server gmwcnappv00586 to be reflected in the splunk application server gmwcnappv00150
Kindly let me know the comment as earliest

Thanks
Sanket Panchal

skalliger · ‎11-30-2018

Hi,

you're missing an inputs.conf stanza for a Universal Forwarder sending to your indexer.
Something like this:

 [splunktcp:9997]
 compressed = true
 disabled = 0
 connection_host = none

You could also write:

[splunktcp://gmwcnappv00150:9997]

if gmwcnappv00150 is your UF.

Did that help?

Skalli

Edit: typo

Why am I unable to get data from the forwarder to the Splunk application?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation