Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk Universal Forwarder on AWS not showing up in the list of forwarders in my Cloud instance?

Time2MarketSPlu
Engager
‎01-10-2017 07:28 PM

I am new to Splunk and I am trying to test Splunk Cloud with my AWS instance. I have a forwarder built in AWS.
It does not show up in the forwarders of my cloud instance

It installs fine according to the instructions provided. I have installed using the .spl file and a local admin account. I restarted Splunk using the CLI. no errors were encountered - here is the output

PS C:\Program
Files\SplunkUniversalForwarder\bin>
.\splunk.exe restart SplunkForwarder:
Stopped

Splunk> Like an F-18, bro.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program
Files\SplunkUniversalForwarder\splunkforwarder-6.5.1-
f74036626f0c-windows-64-manifest'
All installed files intact.
Done All preliminary checks passed.

Starting splunk server daemon
(splunkd)...

SplunkForwarder: Starting (pid 2200)
Done

The forwarder has internet access, and Windows firewall has been disabled.
I have added a syslog listener to the forwarder using Splunk add udp 514 -sourcetype syslog

I have confirmed that data is getting to the forwarder using wireshark but I don't see data being forwarded out

how can I determine what the issue is?

thanks

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 08:05 PM

Since you have the Cloud Forwarder app installed from your Splunk Cloud instance, your host should be sending data to Splunk Cloud.

First run the following search

index=_internal | stats count by host

Note the hosts sending data to your instance. You should be seeing your "AWS instance" listed there. Is it?

If so, in the forwarder list in the Management Console section, this can take time to populate.

Reply

Time2MarketSPlu
Engager
‎01-10-2017 08:27 PM

thank you! - There is actual data from my forwarder
The directions led me to believe that I had to configure the forwarder which was not showing up ( and still isnt ) , Ididnt think to check for any data

0 Karma
Reply

Time2MarketSPlu
Engager
‎01-11-2017 09:08 AM

@esix .. how long should it take for the forwarder to populate in the mgmt console ? been over 12 hours still not there

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...