Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Beginner issues

pck1983
Explorer
‎09-05-2023 03:59 PM

Hello, I try to learn splunk and thatfor I have setup a demo-version in my home-lab on the Linux system...

Actually I have splunk running and I added the local files. Then I activated port 9997 and installed a universal forwarder on my Windows 10 PC.

I can see on Linux with tcpdump that I get packages on port 9997 but I can't get the data into splunk! When I try to add data from a forwarder manually then I see the message that I have actually not forwarders configured...

What am I doing wrong?

Labels (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-05-2023 04:40 PM

Have you configured your forwarder firstly to collect data from the host and secondly where to send it?

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configuretheuniversalforwarder

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Configureforwardingwithoutputs.conf#....

Have you created an index that the UF will send its data to?

0 Karma
Reply

pck1983
Explorer
‎09-05-2023 04:19 PM

I forgot to tell you what my inputs.conf contains:

 

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Setup]
disabled = 0

 

My outputs.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.2:9997

[tcpout-server://192.168.1.2:9997]

 

0 Karma
Reply

pck1983
Explorer
‎09-06-2023 01:22 AM

I have it solved - no idea what it was but after I rebooted all of the machines it start to work...

Thanks! 

BTW - when my 60 days of test period are done and I go back to the free license. Will the forwarders work or do I need a prof. license?

I am pretty sure my 3 workstations will not exceed the 500MB / day limit!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...