hey please help!! i did all the steps of universal forwarder configuration but i still can't forward data into splunk entreprise
How CAN I configurate splunk enterprise so it could see the forwarder ??
So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf
on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf
on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.
http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf
So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf
on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf
on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.
http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf
i did all the steps that you did mention but it still does not work 😕
i install the splunk entreprise on a windows 7 machine and the forwarder on another windows 7 but in the same virtuelle machine and the two system have the same ip adresse could this be the problem ?
Did you restart the forwarder service after applying the configs? Can you do a telnet from the forwarder to the indexer to confirm you can connect. Is your indexer listening on port 9997 for active connections?
it was a problem of network because the tow machines where the forwarder and the splunk were set up now i can see my machine name in the host list of splunk but i can't find the index and the sourcetype that i have create in the inputs.conf
thanks.
What index did you specify in your inputs.conf
? You can do a quick search over the tsidx files to locate your logs
| metasearch index=*
this is my inputs :
[monitor://C:\var\log*.log]
disabled = 0
sourcetype = log
index = me
metasearch index=* didn't work
my os is wondows
the firewall is desactivate also
Did you enable receiving of data from forwarders? Check if your Splunk Enterprise instance is listening at localhost:8000/fr-FR/manager/launcher/data/inputs/tcp/cooked
i did enable receiving of data from forwaders but splunk enterprise id not listening at localhost:8000 his etat is :wait-time what can i do ?
By default Splunk listens for data from forwarders on port 9997, but you have to enable it. http://i.imgur.com/pUgpVoX.png
8000 is for web access.
it's active