Getting Data In

Why does using the Splunk Forwarder with Splunk Free display message "This feature is not available with your installed set of licenses"?

cboard
Explorer

From my understanding the Splunk free license still lets you forward logs from other servers using the Splunk universal forwarder.

On my indexer web interface, I can view the Splunk forwarder server being connected but when I go to add data from a forwarder the page just says This feature is not available with your installed set of licenses. yet everything I've read seems to indicate this should be possible.

What am I missing? Thanks for any help you can provide.

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Are you running in a distributed or standalone environment?

View solution in original post

woodcock
Esteemed Legend

By setting it to "free" you have disabled your ability to use your Search Head as a Deployment Server so that the forwarder can be configured from the Search Head (Deployment Server) using the Settings -> Add data -> Forward data from splunk forwarder. You can still forward from your forwarder but you have to do it from the CLI on the forwarder itself. If you have access to the CLI of the forwarder you can use oneshot or inputs.conf:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorfilesanddirectoriesusingtheCLI
https://www.google.com/search?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you running in a distributed or standalone environment?

cboard
Explorer

To be honest I have no idea, how do I find that out. If it helps I've added the inputs.conf and outputs.conf files and run /opt/splunkforwarder/bin/splunk set deploy-poll 192.168.1.93:8089 to add the forwarder

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Does your search head also act as an indexer?

0 Karma

cboard
Explorer

I have no idea about that either. All I've done on one server is install Splunk Enterprise and set the licensing group to "Free" and then installed the universal splunk forwarder on the second server.
Sorry, I'm not answering overly helpful, only just started looking into splunk recently.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

No worries, we will get to the bottom of this..

Go to Settings>Distributed search> Distributed search setup

Turn on distributed search?

Which one is selected?

Splunk free version disables distributed searching.. You will need to manually add the forwarder as the deployment server is disabled

https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html

0 Karma

cboard
Explorer

I set the licensing to free myself, I had no intention of getting the enterprise so switched it straight to free so I don't end up using something and then later on find its not availalble.

If I go to settings and then distributed search I get the following This feature is not available with your installed set of licenses

0 Karma

skoelpin
SplunkTrust
SplunkTrust

When you download Splunk, you will get Splunk Trial which is full enterprise features for 60 days.. After 60 days, it will roll to the free version.

Since you're using Splunk free, I'm assuming you will have a small amount of servers you want to monitor (Maybe less than 10?). If this is the case then you wont need to use the deployment server, you can add the forwarder manually

Go to the remote machine which has logs that you want to forward. Install wget if not already (sudo yum install wget).. Then download the Splunk Universal Forwarder (The download and instructions below are for a Linux machine)

You will then unzip the file and start Splunk /opt/splunk/bin/splunk start --accept-license then go to /opt/splunk/etc/system/local and create 2 files.. One will be inputs.conf and the other is outputs.conf..

Modify the info below to fit what directory you want to monitor

inputs.conf

[default]
host = 

[monitor:///opt/log/www*/access.log]
index=web
sourcetype=access_combined

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = Machine IP hosting Splunk

Splunk UF Download

wget -O splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz&wget=true'

cboard
Explorer

That's done it. Thanks so much for your help. Much appreciated.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...