Splunk Cloud Platform

Splunk Cloud - Windows client, not working?

sherod
Engager

I am trying to get a Windows 2008 box hooked into Splunk cloud.

Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.

I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).

I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server =  input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997

[tcpout-server://input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997]

Running 'splunk list monitor' shows I'm monitoring files:

c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor
Your session is invalid.  Please login.
Splunk username: admin
Password:
Monitored Directories:
        $SPLUNK_HOME\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log
        $SPLUNK_HOME\var\spool\splunk\...stash_new
Monitored Files:
        $SPLUNK_HOME\etc\splunk.version
        C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log

and a tail of the splunkd.log shows this:

01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

And nothing is being logged to the Cloud.

How do I further debug this??

yannK
Splunk Employee
Splunk Employee

Please see this answer :
http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

in particular this recent update :

You can now download an app which you can install into a universal forwarder from the sandbox instance itself. After logging into your instance, click on the "Universal Forwarder" app from the launcher page. From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.

sherod
Engager

That doesn't help. As I said, I've installed the universal forwarder and set it up. It's just not forwarding logs. the trial instructions are piecemeal and conflicting.

Evaluating the product shouldn't be this hard. That's some feedback for splunk product management.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...