Getting Data In

universal forwarder

sarah89
Path Finder

please I need help ,

I deployed a universal forward by following tutorial "distributed deployement manual"

The universal forward is in the machine configured like this:

inputs.conf
[default]
host = atelcom-62de949

[monitor://Documents and Settings\sarah\Bureau\splunk image]
disabled = false

output.conf

[tcpout]
defaultGroup = 192.168.0.45_9997
[tcpout:192.168.0.45_9997]
server = 192.168.0.45:9997
[tcpout-server://192.168.0.45:9997]

The Splunk instance (the indexer) is installed in a windows server 2008 virtual machine.
I enable the receiver but when i use the deployment monitor to see the forwarder and I don't find anything from it, it doesn't seem to be working.
Can you please tell me how to fix this?

Tags (1)

sarah89
Path Finder

i had to disable the firewalls of windows server 2008

sarah89
Path Finder

thk's a lot , i get it

0 Karma

Ayn
Legend

You should have a look at splunkd.log on the indexer to see what error messages you're getting. Ideas on possible problems: non-SSL connection to an SSL enabled listening port, mismatch on compression settings.

0 Karma

sarah89
Path Finder

splunk server :

Process= splunkd.exe
PID=1360
Protocol= TCP
Local address= lab2008
Local port =9997
Remote address= lab2008
Remote port=0
Stat= LISTENING

universal forwarder :

Process= splunkd.exe
PID=1332
Protocol= TCP
Local address= atelcom-62de949.ssg20-wlan
Local port =1215
Remote address= lab2008
Remote port=9997
Stat= etablished

0 Karma

Ayn
Legend

Can you connect to the indexer on port 9997 from the host you're running the Universal Forwarder on?

0 Karma

sarah89
Path Finder

hello alls

please can anyone help me , i'm stucking here , i couldn't figure it out

0 Karma

sarah89
Path Finder

tell me please , how the inputs.conf and outputs.conf of the indexer looks like ?

0 Karma

sarah89
Path Finder

i have only info and warm like this
04-08-2012 11:59:01.265 +0100 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

4-08-2012 12:01:25.781 +0100 WARN TcpOutputProc - Cooked connection to ip=192.168.0.45:9997 timed ou

0 Karma

MarioM
Motivator

check if any error in your Forwarder splunkd.log (splunkforwarder\var\log\splunk\)

0 Karma

sarah89
Path Finder

i still have the problem , please tell what i shoul do to fix this

0 Karma

sarah89
Path Finder

thk's i will try to add this to the path

0 Karma

sarah89
Path Finder

how can i see the splunkd.log around connections to the indexer

0 Karma

twkan
Splunk Employee
Splunk Employee

I am not sure if it's a typo error, but can you verify your file is outputs.conf and not output.conf like what you have mentioned?

0 Karma

sarah89
Path Finder

i checked it ,it outputs.conf not output.conf
it's was just a typo error

0 Karma

MHibbin
Influencer

Shouldn't the file path in the monitor stanza be absolute, i.e. include the disk. for example...

[monitor://C:\Documents and Settings\sarah\Bureau\splunk image]

Or whatever the location may be... I've always used the absolute path to be certain.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Could you provide some details around what you're seeing in Splunkd.log around connections to the indexer?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...