Splunk Cloud Platform

Splunk Cloud - Windows client, not working?

sherod
Engager

I am trying to get a Windows 2008 box hooked into Splunk cloud.

Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.

I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).

I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server =  input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997

[tcpout-server://input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997]

Running 'splunk list monitor' shows I'm monitoring files:

c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor
Your session is invalid.  Please login.
Splunk username: admin
Password:
Monitored Directories:
        $SPLUNK_HOME\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log
        $SPLUNK_HOME\var\spool\splunk\...stash_new
Monitored Files:
        $SPLUNK_HOME\etc\splunk.version
        C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log

and a tail of the splunkd.log shows this:

01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

And nothing is being logged to the Cloud.

How do I further debug this??

yannK
Splunk Employee
Splunk Employee

Please see this answer :
http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

in particular this recent update :

You can now download an app which you can install into a universal forwarder from the sandbox instance itself. After logging into your instance, click on the "Universal Forwarder" app from the launcher page. From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.

sherod
Engager

That doesn't help. As I said, I've installed the universal forwarder and set it up. It's just not forwarding logs. the trial instructions are piecemeal and conflicting.

Evaluating the product shouldn't be this hard. That's some feedback for splunk product management.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...