You're showing the inputs.conf on the UF, what does the rest of your setup look like? Have you also configured outputs.conf to send the data to your indexer? Have you set up this index on your indexer?
You'll need to describe your problem a bit better for anyone to be able help you solve it.
yes i configured outputs.conf and the forwarder status of the UF is configurate and active
in the host list of splunk i can find my machine name
i configure the tcp port 9997
but what did you mean by set up the index on your indexer ?
index=me in your inputs.conf. Did you also actually create that index on your indexer (your splunk enterprise instance)?
You should look at the forwarder logs and see if its sending data. You can see this by going to
/top/splunkforwarder/var/log/splunk/splunkd.log and this will tell you if its sending its logs to the indexer(s). You can also do a quick search to see if any logs are present. Assuming this is a relatively new setup, you can set your time range to all-time
| metasearch index=me
Most likely. You should check out the forwarder logs and see what the forwarder is complaining about. Also, can you do a telnet from the forwarder to the indexer?
From the forwarder machine, go to your cmd prompt and do a
telnet <indexIP> 9997 and see if it connects. The forwarder logs will also tell you if its being blocked. Either way works
This means your forwarder can successfully connect to the indexer on that port, so you do not have a firewall issue, most likely a configuration issue. Have you confirmed the file your monitoring has data? Did you restart the Splunk service after updating your inputs?
What is the forwarder log saying? If its a windows machine you can check under