Getting Data In

please help me : How CAN I configurate splunk enterprise so it could see the forwarder ?

neermine
Path Finder

hey please help!! i did all the steps of universal forwarder configuration but i still can't forward data into splunk entreprise
How CAN I configurate splunk enterprise so it could see the forwarder ??
alt text
alt text

1 Solution

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

0 Karma

neermine
Path Finder

i did all the steps that you did mention but it still does not work 😕
i install the splunk entreprise on a windows 7 machine and the forwarder on another windows 7 but in the same virtuelle machine and the two system have the same ip adresse could this be the problem ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you restart the forwarder service after applying the configs? Can you do a telnet from the forwarder to the indexer to confirm you can connect. Is your indexer listening on port 9997 for active connections?

0 Karma

neermine
Path Finder

it was a problem of network because the tow machines where the forwarder and the splunk were set up now i can see my machine name in the host list of splunk but i can't find the index and the sourcetype that i have create in the inputs.conf
thanks.

skoelpin
SplunkTrust
SplunkTrust

What index did you specify in your inputs.conf? You can do a quick search over the tsidx files to locate your logs

| metasearch index=*

0 Karma

neermine
Path Finder

this is my inputs :
[monitor://C:\var\log*.log]
disabled = 0
sourcetype = log
index = me
metasearch index=* didn't work
my os is wondows

0 Karma

neermine
Path Finder

the firewall is desactivate also

0 Karma

dauren_akilbeko
Communicator

Did you enable receiving of data from forwarders? Check if your Splunk Enterprise instance is listening at localhost:8000/fr-FR/manager/launcher/data/inputs/tcp/cooked

0 Karma

neermine
Path Finder

i did enable receiving of data from forwaders but splunk enterprise id not listening at localhost:8000 his etat is :wait-time what can i do ?

0 Karma

dauren_akilbeko
Communicator

By default Splunk listens for data from forwarders on port 9997, but you have to enable it. http://i.imgur.com/pUgpVoX.png

8000 is for web access.

0 Karma

neermine
Path Finder

it's active

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...