Getting Data In

please help me : How CAN I configurate splunk enterprise so it could see the forwarder ?

neermine
Path Finder

hey please help!! i did all the steps of universal forwarder configuration but i still can't forward data into splunk entreprise
How CAN I configurate splunk enterprise so it could see the forwarder ??
alt text
alt text

1 Solution

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

So you've confirmed your indexer is listening to the forwarder on port 9997. Next you have to confirm if you placed an outputs.conf on the forwarder which tells the forwarder where to send the logs to. Next you should place an inputs.conf on the forwarder which tell it which directory/file(s) to monitor and forwarder to Splunk. Once you add these files to the forwarder, you should then restart the Splunk service on the forwarder and do a search to verify the logs are going to Splunk.

http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Configureforwardingwithoutputs.conf
http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Monitorfilesanddirectorieswithinputs.conf

0 Karma

neermine
Path Finder

i did all the steps that you did mention but it still does not work 😕
i install the splunk entreprise on a windows 7 machine and the forwarder on another windows 7 but in the same virtuelle machine and the two system have the same ip adresse could this be the problem ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you restart the forwarder service after applying the configs? Can you do a telnet from the forwarder to the indexer to confirm you can connect. Is your indexer listening on port 9997 for active connections?

0 Karma

neermine
Path Finder

it was a problem of network because the tow machines where the forwarder and the splunk were set up now i can see my machine name in the host list of splunk but i can't find the index and the sourcetype that i have create in the inputs.conf
thanks.

skoelpin
SplunkTrust
SplunkTrust

What index did you specify in your inputs.conf? You can do a quick search over the tsidx files to locate your logs

| metasearch index=*

0 Karma

neermine
Path Finder

this is my inputs :
[monitor://C:\var\log*.log]
disabled = 0
sourcetype = log
index = me
metasearch index=* didn't work
my os is wondows

0 Karma

neermine
Path Finder

the firewall is desactivate also

0 Karma

dauren_akilbeko
Communicator

Did you enable receiving of data from forwarders? Check if your Splunk Enterprise instance is listening at localhost:8000/fr-FR/manager/launcher/data/inputs/tcp/cooked

0 Karma

neermine
Path Finder

i did enable receiving of data from forwaders but splunk enterprise id not listening at localhost:8000 his etat is :wait-time what can i do ?

0 Karma

dauren_akilbeko
Communicator

By default Splunk listens for data from forwarders on port 9997, but you have to enable it. http://i.imgur.com/pUgpVoX.png

8000 is for web access.

0 Karma

neermine
Path Finder

it's active

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...