please I need help ,
I deployed a universal forward by following tutorial "distributed deployement manual"
The universal forward is in the machine configured like this:
inputs.conf
[default]
host = atelcom-62de949
[monitor://Documents and Settings\sarah\Bureau\splunk image]
disabled = false
output.conf
[tcpout]
defaultGroup = 192.168.0.45_9997
[tcpout:192.168.0.45_9997]
server = 192.168.0.45:9997
[tcpout-server://192.168.0.45:9997]
The Splunk instance (the indexer) is installed in a windows server 2008 virtual machine.
I enable the receiver but when i use the deployment monitor to see the forwarder and I don't find anything from it, it doesn't seem to be working.
Can you please tell me how to fix this?
i had to disable the firewalls of windows server 2008
thk's a lot , i get it
You should have a look at splunkd.log on the indexer to see what error messages you're getting. Ideas on possible problems: non-SSL connection to an SSL enabled listening port, mismatch on compression settings.
splunk server :
Process= splunkd.exe
PID=1360
Protocol= TCP
Local address= lab2008
Local port =9997
Remote address= lab2008
Remote port=0
Stat= LISTENING
universal forwarder :
Process= splunkd.exe
PID=1332
Protocol= TCP
Local address= atelcom-62de949.ssg20-wlan
Local port =1215
Remote address= lab2008
Remote port=9997
Stat= etablished
Can you connect to the indexer on port 9997 from the host you're running the Universal Forwarder on?
hello alls
please can anyone help me , i'm stucking here , i couldn't figure it out
tell me please , how the inputs.conf and outputs.conf of the indexer looks like ?
i have only info and warm like this
04-08-2012 11:59:01.265 +0100 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
4-08-2012 12:01:25.781 +0100 WARN TcpOutputProc - Cooked connection to ip=192.168.0.45:9997 timed ou
check if any error in your Forwarder splunkd.log (splunkforwarder\var\log\splunk\)
i still have the problem , please tell what i shoul do to fix this
thk's i will try to add this to the path
how can i see the splunkd.log around connections to the indexer
I am not sure if it's a typo error, but can you verify your file is outputs.conf and not output.conf like what you have mentioned?
i checked it ,it outputs.conf not output.conf
it's was just a typo error
Shouldn't the file path in the monitor stanza be absolute, i.e. include the disk. for example...
[monitor://C:\Documents and Settings\sarah\Bureau\splunk image]
Or whatever the location may be... I've always used the absolute path to be certain.
Could you provide some details around what you're seeing in Splunkd.log around connections to the indexer?