Hi,
I am new at splunk and install splunk server on windows 2008 R2 std. and add the *.nix app successfully in server.
After install the splunkforwarder-4.3.4-136012.i386.rpm in one unix client machine and i where i need to define splunk server IP address or port number to send the data on splunk server?
regards
Sachin
I made the changes in /opt/splunkforwarder/etc/system/local/outputs.conf file only
[tcpout]
defaultGroup = my_indexers
[tcpout:my_indexers]
server = 10.100.0.69:9997
Below is the error of splunkd.log file.
09-14-2012 11:25:56.706 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:08.706 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:20.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:20.707 +0530 INFO HttpPubSubConnection - Could not obtain connection, will retry after 60 seconds.
09-14-2012 11:26:21.158 +0530 INFO TcpOutputProc - Removing quarantine from idx=10.100.0.69:9997
09-14-2012 11:26:21.159 +0530 WARN TcpOutputFd - Connect to 10.100.0.69:9997 failed. Connection refused
09-14-2012 11:26:21.159 +0530 ERROR TcpOutputFd - Connection to host=10.100.0.69:9997 failed
09-14-2012 11:26:21.159 +0530 WARN TcpOutputProc - Applying quarantine to idx=10.100.0.69:9997 numberOfFailures=4
09-14-2012 11:26:32.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:44.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:51.160 +0530 INFO TcpOutputProc - Removing quarantine from idx=10.100.0.69:9997
09-14-2012 11:26:51.161 +0530 WARN TcpOutputFd - Connect to 10.100.0.69:9997 failed. Connection refused
09-14-2012 11:26:51.161 +0530 ERROR TcpOutputFd - Connection to host=10.100.0.69:9997 failed
09-14-2012 11:26:51.161 +0530 WARN TcpOutputProc - Applying quarantine to idx=10.100.0.69:9997 numberOfFailures=5
Please let me know what should be the simple step to add unix machine in splunk server (which is running on windows 2008 r2 server)
Could you please stop posting your comments as answers. Right now it looks like your question has been answered 8 times.
I am able to telnet 10.100.0.69:9997 server. there is not firewall issue becuase windows firewall is off.
Connect to 10.100.0.69:9997 failed. Connection refused
You have a problem. Why is your indexer refusing connections? Firewall? Wrong IP?
Can any one help me on above query?
After configure the above setting my splunk server is not indexing data and getting helow error and also my splunk server is install Windows Server 2008 R2 Server.
Error:- skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block.
A couple of points you can start off of:
1) Have you configured the inputs.conf on the indexer to listen at this port?
2) Have you opened up the port on your windows firewall on the indexer?
3) If you are planning on having your forwarder on your unix machine be a client of the deployment server on the indexer, you are going to want to match the management ports on both machines. And make sure that it's open on the firewall.
In order to define what server to write to, you need to update the outputs.conf file under $SPLUNK_HOME/bin/etc/system/local. See: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
The basic definition should look like this:
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=mysplunk_indexer1:9997
Remember to check the port defined under the inputs.conf of the indexer and match it to the forwarder one (or vice-verse). More details on Indexer inputs.conf here: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#inputs.conf.example
Note that you need to define entries in the inputs.conf on your forwarder too. This is where you define what files you are going to monitor and send to the indexer. These links should help with this part:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf
http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Specifyinputpathswithwildcards
You can define the Splunk server and port through the CLI. This is covered in the docs section here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployanixdfmanually
Please share me the file path where i need to add splunk server IP or port number?
The clinet machine is unix.
Did you add any inputs on the forwarder?
I tried the given URL and added the server ip and port but no data is showing in splunk server.