I have 2 Linux machines.
I installed the universal forwarder on one of them and configured the inputs.conf and outputs.conf files to get the data from a file on the same machine and forward it to the second machine. And, when I ran the ./splunk list monitor command, the file I need to be monitored appeared.
On the second one, I installed Splunk Enterprise and now, I need to receive the file mentioned above from the universal forwarder to view on Splunk web but it doesn't work.
Can anyone help me please..?
There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.
There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.
"It doesn't work" isn't much to go on.
Have you set up the second machine to receive data? Is the forwarder sending to the right address and port (typically 9997)? Is a firewall getting in the way? Is there anything in splunkd.log on either machine that might explain what is going on?
Thank you so much it worked
We're glad you have it working. Would you mind posting an answer explaining what you did to get it to work? Then accept that answer so future readers with similar problems can find your solution.
I just forgot to configure the listening port
Hi,
Have you looked at documentation http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Getstartedwithgettingdatain and then next 4-5 pages to use universal forwarders & receiving port on Splunk Enterprise ?