I have installed splunk server for windows in my machine successfully, i wanted to run uberAgent to capture desktop activities, I downloaded the uberAgent technology Add on and the UI app, successfully installed the uberAgent under Apps in my splunkweb, also installed the splunkforwarder and copied the uberAgentTA and see ranberAgent.exe in my taskmanager, the agent has started collecting the data into C:\Windows\Temp\uberAgent.log;
Now, when i goto uberagent in the splunkweb, i donot see any log activities; how do i make the uberAgent.log data to be displayed in uberAgent app in the splunk web?
Note: i have installed splunk/splunkforwarder/uberagent all in the same desktop machine, and in the splunkforwarder installation setup i gave the same machine ip to send the data..
am i missing something? please help me get this sorted out, since i need to do a little demo on how splunk collects/displays the desktop related data through uberAgent
hi helge, Thanks for making things clear, I just want to revalidate my thoughts and have few questions:
Tell if my understanding is right, I did following instructions-
Machine in which splunk server is running :
Goto Manager -> Forwarding and receiving -> Receive data -> Add new -> 9997 -> Save.
Machine in which splunk forwarder/uberAgent is running:
On installation of splunk forwarder - give the ip of the machine in which splunk server is running; should i give port as "9997" ? to send data at that port?
the re-edit hangs after "save edit", could u answer me about the same domain set up? should the splunk server machine and splunkforwarder all be under the same domain to send data ? should i configure splunk server machine ip and 9997 port on installation?
@sowmy: You should update your original question instead of adding more questions as an answer. You can find information about reconfiguring the Universal Forwarder here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Deploymentoverview#General_configuration_is.... I would recommend uninstalling and reinstalling the forwarder, however.
To avoid confusion: uberAgent writes the data it collects directly to Splunk's Universal Forwarder. The file uberAgent.log is only for status messages, i.e. troubleshooting uberAgent.
Did you follow the steps in the documentation? Please review closely:
The missing piece might be that the receiver is not enabled. From the documentation linked to above: "Set up receiving data from forwarders, e.g. through Manager -> Forwarding and receiving -> Receive data -> Add new -> 9997 -> Save."
Just to be on the safe side you should check if any data arrives from uberAgent by running the following in the Splunk search app:
If all this does not help: are there any errors in uberAgent.log?
Hi, I just did the steps, but i still see no data when i goto SplunkWeb->Apps->uberAgent, i want my log data to be displayed here, right now the page says 0 sessions, 0 views and all the tables are empty,
the steps listed by you, actually connects the data collected to splunk server as new source type, I want the uberAgent.log to be read by its UI counterpart (uberAgent under Splunkweb/apps)
You don't need to use the forwarder in this case. In your Splunkweb UI, goto Manager > Data Inputs > Files and Directories > New. Then browse for your uberAgent.log file and set it up as an input. This should get you the data you need into Splunk.