Splunk Cloud Platform

Splunk Cloud - Windows client, not working?


I am trying to get a Windows 2008 box hooked into Splunk cloud.

Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.

I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).

I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:

defaultGroup = default-autolb-group

server =  input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997


Running 'splunk list monitor' shows I'm monitoring files:

c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor
Your session is invalid.  Please login.
Splunk username: admin
Monitored Directories:
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log
Monitored Files:
        C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log

and a tail of the splunkd.log shows this:

01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

And nothing is being logged to the Cloud.

How do I further debug this??

Splunk Employee
Splunk Employee

Please see this answer :

in particular this recent update :

You can now download an app which you can install into a universal forwarder from the sandbox instance itself. After logging into your instance, click on the "Universal Forwarder" app from the launcher page. From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.


That doesn't help. As I said, I've installed the universal forwarder and set it up. It's just not forwarding logs. the trial instructions are piecemeal and conflicting.

Evaluating the product shouldn't be this hard. That's some feedback for splunk product management.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...