Getting Data In

please help me : How CAN I configurate splunk enterprise so it could see the forwarder ?

neermine
Path Finder

hey please help!! i did all the steps of universal forwarder configuration but i still can't forward data into splunk entreprise
How CAN I configurate splunk enterprise so it could see the forwarder ??
alt text
alt text

1 Solution

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

0 Karma

neermine
Path Finder

i did all the steps that you did mention but it still does not work 😕
i install the splunk entreprise on a windows 7 machine and the forwarder on another windows 7 but in the same virtuelle machine and the two system have the same ip adresse could this be the problem ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you restart the forwarder service after applying the configs? Can you do a telnet from the forwarder to the indexer to confirm you can connect. Is your indexer listening on port 9997 for active connections?

0 Karma

neermine
Path Finder

it was a problem of network because the tow machines where the forwarder and the splunk were set up now i can see my machine name in the host list of splunk but i can't find the index and the sourcetype that i have create in the inputs.conf
thanks.

skoelpin
SplunkTrust
SplunkTrust

What index did you specify in your inputs.conf? You can do a quick search over the tsidx files to locate your logs

| metasearch index=*

0 Karma

neermine
Path Finder

this is my inputs :
[monitor://C:\var\log*.log]
disabled = 0
sourcetype = log
index = me
metasearch index=* didn't work
my os is wondows

0 Karma

neermine
Path Finder

the firewall is desactivate also

0 Karma

dauren_akilbeko
Communicator

Did you enable receiving of data from forwarders? Check if your Splunk Enterprise instance is listening at localhost:8000/fr-FR/manager/launcher/data/inputs/tcp/cooked

0 Karma

neermine
Path Finder

i did enable receiving of data from forwaders but splunk enterprise id not listening at localhost:8000 his etat is :wait-time what can i do ?

0 Karma

dauren_akilbeko
Communicator

By default Splunk listens for data from forwarders on port 9997, but you have to enable it. http://i.imgur.com/pUgpVoX.png

8000 is for web access.

0 Karma

neermine
Path Finder

it's active

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...