Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does using the Splunk Forwarder with Splunk Free display message "This feature is not available with your installed set of licenses"?

cboard
Explorer
‎03-20-2017 03:00 PM

From my understanding the Splunk free license still lets you forward logs from other servers using the Splunk universal forwarder.

On my indexer web interface, I can view the Splunk forwarder server being connected but when I go to add data from a forwarder the page just says This feature is not available with your installed set of licenses. yet everything I've read seems to indicate this should be possible.

What am I missing? Thanks for any help you can provide.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 03:38 PM

Are you running in a distributed or standalone environment?

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-20-2017 04:16 PM

By setting it to "free" you have disabled your ability to use your Search Head as a Deployment Server so that the forwarder can be configured from the Search Head (Deployment Server) using the Settings -> Add data -> Forward data from splunk forwarder. You can still forward from your forwarder but you have to do it from the CLI on the forwarder itself. If you have access to the CLI of the forwarder you can use oneshot or inputs.conf:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorfilesanddirectoriesusingtheCLI
https://www.google.com/search?

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 03:38 PM

Are you running in a distributed or standalone environment?

Reply
Solved! Jump to solution

cboard
Explorer
‎03-20-2017 03:39 PM

To be honest I have no idea, how do I find that out. If it helps I've added the inputs.conf and outputs.conf files and run /opt/splunkforwarder/bin/splunk set deploy-poll 192.168.1.93:8089 to add the forwarder

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 03:43 PM

Does your search head also act as an indexer?

0 Karma
Reply
Solved! Jump to solution

cboard
Explorer
‎03-20-2017 03:45 PM

I have no idea about that either. All I've done on one server is install Splunk Enterprise and set the licensing group to "Free" and then installed the universal splunk forwarder on the second server.
Sorry, I'm not answering overly helpful, only just started looking into splunk recently.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 03:47 PM

No worries, we will get to the bottom of this..

Go to Settings>Distributed search> Distributed search setup

Turn on distributed search?

Which one is selected?

Splunk free version disables distributed searching.. You will need to manually add the forwarder as the deployment server is disabled

https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html

0 Karma
Reply
Solved! Jump to solution

cboard
Explorer
‎03-20-2017 03:50 PM

I set the licensing to free myself, I had no intention of getting the enterprise so switched it straight to free so I don't end up using something and then later on find its not availalble.

If I go to settings and then distributed search I get the following This feature is not available with your installed set of licenses

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 03:59 PM

When you download Splunk, you will get Splunk Trial which is full enterprise features for 60 days.. After 60 days, it will roll to the free version.

Since you're using Splunk free, I'm assuming you will have a small amount of servers you want to monitor (Maybe less than 10?). If this is the case then you wont need to use the deployment server, you can add the forwarder manually

Go to the remote machine which has logs that you want to forward. Install wget if not already (sudo yum install wget).. Then download the Splunk Universal Forwarder (The download and instructions below are for a Linux machine)

You will then unzip the file and start Splunk /opt/splunk/bin/splunk start --accept-license then go to /opt/splunk/etc/system/local and create 2 files.. One will be inputs.conf and the other is outputs.conf..

Modify the info below to fit what directory you want to monitor

inputs.conf

[default]
host = 

[monitor:///opt/log/www*/access.log]
index=web
sourcetype=access_combined

outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = Machine IP hosting Splunk

Splunk UF Download

wget -O splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz&wget=true'
Reply
Solved! Jump to solution

cboard
Explorer
‎03-20-2017 04:12 PM

That's done it. Thanks so much for your help. Much appreciated.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...