I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.
inputs.conf from my Forwarder:
[default] host = WIN2K3CPT [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 [WinEventLog://Application] disabled = 0 index=applogrc sourcetype = srcapplogrc whitelist = SourceName="^RC_ProcessInstAppService_Failure$" whitelist1 = SourceName="^RC_ProductTransferService_Failure$" whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$" whitelist3 = EventType="Warning" [monitor://F:\inetpub\wwwroot\T3Report] disabled = 0 index=applogrc sourcetype = srcapplogrc whitelist = CMC\.txt|RC\.txt
props.conf from the Indexer server:
transforms.conf from the indexer server:
[sendtoapplogrc] REGEX=. DEST_KEY = _MetaData:Index FORMAT = applogrc
indexer are different things. I see your configuration for sending to particular
index values but if you are trying to send some stuff to certain
indexers, we need to see your
Thanks. Here it is:
defaultGroup = default-autolb-group
server = server1.mydomain.com:11070
Note: All these conf files are in system\local folder. And I did try restarting the Splunk Instance post changes.
Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.
Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.
Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.
Finally, i removed your internal server names from your post for your own protection.
Thanks Michael. The location of my outputs.conf is within the UF (etc/system/local) itself. Also, I did a telnet for the port 11070. Its open.
Is there anything specific that we need to configure within the Forwarder for it to actually start forwarding data? I am of the assumption that it starts sending the data automatically once the Output.conf is placed and Instance restarted.
That's all it takes so long as the account splunkd is running under has permissions to read the data you're looking for and then receiving is enabled on the indexers on that port.
@ppablo_splunk hey man, is there anyway we can delete/edit the comments the op made that contained his server names from the question history?