Solved: Re: help please : inputs problem - Page 2

neermine · ‎08-15-2018

hi i have configurate my universal forwarder and splunk so i can find my machine in the host list of splunk .. but i think i have a problem in the inputs.conf because i can't find the sourcetype and the indexer that i have creat

skoelpin · ‎08-15-2018

You should look at the forwarder logs and see if its sending data. You can see this by going to /top/splunkforwarder/var/log/splunk/splunkd.log and this will tell you if its sending its logs to the indexer(s). You can also do a quick search to see if any logs are present. Assuming this is a relatively new setup, you can set your time range to all-time

| metasearch index=me

View solution in original post

neermine · ‎08-15-2018

yes i configured outputs.conf and the forwarder status of the UF is configurate and active
in the host list of splunk i can find my machine name
i configure the tcp port 9997
but what did you mean by set up the index on your indexer ?

FrankVl · ‎08-15-2018

You configured index=me in your inputs.conf. Did you also actually create that index on your indexer (your splunk enterprise instance)?

neermine · ‎08-15-2018

yes i did but it has no events

help please : inputs problem

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation