Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Cloud - Windows client, not working?

sherod
Engager
‎01-21-2015 08:44 PM

I am trying to get a Windows 2008 box hooked into Splunk cloud.

Specifically I want to forward logs from a custom log file to my Splunk Cloud 14 day trail account.

I have downloaded and installed the Universal forwarder from the generic download page (instructions stating I'd get a 'welcome email with custom download' appear to be incorrect).

I have installed the universal forwarder and configured its 'etc\system\local\outputs.conf' file like so:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server =  input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997

[tcpout-server://input-prd-p-nq5bfls7RANDOM.cloud.splunk.com:9997]

Running 'splunk list monitor' shows I'm monitoring files:

c:\Program Files\SplunkUniversalForwarder\bin>splunk list monitor
Your session is invalid.  Please login.
Splunk username: admin
Password:
Monitored Directories:
        $SPLUNK_HOME\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\btool.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\first_install.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_audit.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\license_usage.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\mongod.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\remote_searches.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\scheduler.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\searchhistory.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd-utility.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_access.log
                C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd_ui_access.log
        $SPLUNK_HOME\var\spool\splunk\...stash_new
Monitored Files:
        $SPLUNK_HOME\etc\splunk.version
        C:\Program Files (x86)\mmc-distribution-mule-console-bundle-3.6.0\mule-enterprise-3.6.0\logs\mule_ee.log

and a tail of the splunkd.log shows this:

01-22-2015 14:35:09.789 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:35:39.071 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-22-2015 14:36:09.077 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

And nothing is being logged to the Cloud.

How do I further debug this??

Reply

yannK
Splunk Employee
Splunk Employee
‎01-22-2015 11:12 AM

Please see this answer :
http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

in particular this recent update :

You can now download an app which you can install into a universal forwarder from the sandbox instance itself. After logging into your instance, click on the "Universal Forwarder" app from the launcher page. From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.

Reply

sherod
Engager
‎01-24-2015 03:04 AM

That doesn't help. As I said, I've installed the universal forwarder and set it up. It's just not forwarding logs. the trial instructions are piecemeal and conflicting.

Evaluating the product shouldn't be this hard. That's some feedback for splunk product management.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...