Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't the receiver receiving files from universal forwarder?

dinaabdelhakam
Path Finder
‎11-12-2018 12:14 AM

I have 2 Linux machines.

I installed the universal forwarder on one of them and configured the inputs.conf and outputs.conf files to get the data from a file on the same machine and forward it to the second machine. And, when I ran the ./splunk list monitor command, the file I need to be monitored appeared.

On the second one, I installed Splunk Enterprise and now, I need to receive the file mentioned above from the universal forwarder to view on Splunk web but it doesn't work.

Can anyone help me please..?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-12-2018 12:15 PM

There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-12-2018 12:15 PM

There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2018 05:47 AM

"It doesn't work" isn't much to go on.
Have you set up the second machine to receive data? Is the forwarder sending to the right address and port (typically 9997)? Is a firewall getting in the way? Is there anything in splunkd.log on either machine that might explain what is going on?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dinaabdelhakam
Path Finder
‎11-12-2018 06:34 AM

Thank you so much it worked

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-12-2018 11:10 AM

We're glad you have it working. Would you mind posting an answer explaining what you did to get it to work? Then accept that answer so future readers with similar problems can find your solution.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dinaabdelhakam
Path Finder
‎11-12-2018 11:43 PM

I just forgot to configure the listening port

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎11-12-2018 05:16 AM

Hi,

Have you looked at documentation http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Getstartedwithgettingdatain and then next 4-5 pages to use universal forwarders & receiving port on Splunk Enterprise ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...