Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why isn't the receiver receiving files from univer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 Linux machines.
I installed the universal forwarder on one of them and configured the inputs.conf and outputs.conf files to get the data from a file on the same machine and forward it to the second machine. And, when I ran the ./splunk list monitor command, the file I need to be monitored appeared.
On the second one, I installed Splunk Enterprise and now, I need to receive the file mentioned above from the universal forwarder to view on Splunk web but it doesn't work.
Can anyone help me please..?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are 3 basic steps not including restarts.
1: Start an Indexer listening on port 9997 (splunktcp in inputs.conf).
2: Configure the forwarder to send everything to the indexer (outputs.conf).
3: Configure the forwarder to something specific to the indexer (monitor in inputs.conf).
4: Restart Splunk on each box after configuring one of these files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"It doesn't work" isn't much to go on.
Have you set up the second machine to receive data? Is the forwarder sending to the right address and port (typically 9997)? Is a firewall getting in the way? Is there anything in splunkd.log on either machine that might explain what is going on?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're glad you have it working. Would you mind posting an answer explaining what you did to get it to work? Then accept that answer so future readers with similar problems can find your solution.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just forgot to configure the listening port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have you looked at documentation http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Getstartedwithgettingdatain and then next 4-5 pages to use universal forwarders & receiving port on Splunk Enterprise ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
