From my understanding the Splunk free license still lets you forward logs from other servers using the Splunk universal forwarder.
On my indexer web interface, I can view the Splunk forwarder server being connected but when I go to add data from a forwarder the page just says
This feature is not available with your installed set of licenses. yet everything I've read seems to indicate this should be possible.
What am I missing? Thanks for any help you can provide.
By setting it to "free" you have disabled your ability to use your Search Head as a Deployment Server so that the forwarder can be configured from the Search Head (Deployment Server) using the
Add data ->
Forward data from splunk forwarder. You can still forward from your forwarder but you have to do it from the CLI on the forwarder itself. If you have access to the CLI of the forwarder you can use
To be honest I have no idea, how do I find that out. If it helps I've added the inputs.conf and outputs.conf files and run
/opt/splunkforwarder/bin/splunk set deploy-poll 192.168.1.93:8089 to add the forwarder
I have no idea about that either. All I've done on one server is install Splunk Enterprise and set the licensing group to "Free" and then installed the universal splunk forwarder on the second server.
Sorry, I'm not answering overly helpful, only just started looking into splunk recently.
No worries, we will get to the bottom of this..
Settings>Distributed search> Distributed search setup
Turn on distributed search?
Which one is selected?
Splunk free version disables distributed searching.. You will need to manually add the forwarder as the deployment server is disabled
I set the licensing to free myself, I had no intention of getting the enterprise so switched it straight to free so I don't end up using something and then later on find its not availalble.
If I go to settings and then distributed search I get the following
This feature is not available with your installed set of licenses
When you download Splunk, you will get Splunk Trial which is full enterprise features for 60 days.. After 60 days, it will roll to the free version.
Since you're using Splunk free, I'm assuming you will have a small amount of servers you want to monitor (Maybe less than 10?). If this is the case then you wont need to use the deployment server, you can add the forwarder manually
Go to the remote machine which has logs that you want to forward. Install wget if not already (sudo yum install wget).. Then download the Splunk Universal Forwarder (The download and instructions below are for a Linux machine)
You will then unzip the file and start Splunk
/opt/splunk/bin/splunk start --accept-license then go to
/opt/splunk/etc/system/local and create 2 files.. One will be
inputs.conf and the other is
Modify the info below to fit what directory you want to monitor
[default] host = [monitor:///opt/log/www*/access.log] index=web sourcetype=access_combined
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] disabled = false server = Machine IP hosting Splunk
Splunk UF Download
wget -O splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz&wget=true'