Solved: Data not readable on receiver

eholz1 · ‎05-10-2019

Hello All,

I have a question. It seems that I am unable to correctly configure a relationship from
a server which has the Universal Forwarder installed (and acts like it is forwarding data)
On the forwarder I have inputs set to a log file, and outputs set to the Splunk Enterprise Server.

I have attempted to (via the web interface and the cli) to configure a "receiver" to everyone's favorite port: 9997.
I have not configured any thing in "Data Inputs" or "Monitoring" on the Splunk Enterprise server.
I get NO data from the server with the Universal Forwarder installed.

If I delete the receiver port (9997) - go to the Add Data area, select Monitor - and then add port, ip, a generic one line sourcetype,
and an index - I get data in, but all unreadable slashes and zeros, etc.

So my question is - what am I missing here?

Thanks

eholz1

woodcock · ‎05-11-2019

Your outputs.conf on the UF should only have this:

[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997

You also need an inputs.conf like this in your indexer:

[splunktcp://9997]

View solution in original post

woodcock · ‎05-11-2019

Your outputs.conf on the UF should only have this:

[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997

You also need an inputs.conf like this in your indexer:

[splunktcp://9997]

eholz1 · ‎05-13-2019

Hello Mr. Woodcock,

I do still have questions. The universal forwarder seems to be OK. Will incorporate your changes. I may be going to the wrong place to get, or setup the data on the Indexer.

I assumed that part of the configuration on the indexer is: Go to settings, then "Receiving and Forwarding" and set the TCP port there for receiving. When I do this I do not get any data. If I delete this setting, and go to "Settings", Data Input, and monitor Local TCP/UDP,
I get data. If I go down to the :Forwarding and Receiving section in Data Input, I get no data using "get forwarded" data. I am guessing that is lower section in the dialog window is really for an indexer that is set up as a receiver or forwarder. Is this correct?

And - thanks for the post, it is very helpful

eholz1

eholz1 · ‎05-13-2019

One more note - followed your suggestions, and after restarting the Uni Forwarder and the splunk indexer.
with your suggestions, it actually works! I am in shock. Now for my field extractions!

Thanks Again,

eholz1

eholz1 · ‎05-10-2019

Will do:
These files are in /opt/splunkforwarder/etc/system/local

From the server with Universal Forwarder installed:
outputs.conf:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997, cacti_index:9996
[tcpout-server://10.48.11.69:9997]

inputs.conf - file is empty no entres only [default]
if I do a ./splunk list monitor it shows the file that I want to monitor

I have a file: deployement.conf:
[target-broker:deploymentServer]
targetUri = 10.48.11.66:9997

On the Splunk Enterprise Server:
configured from the web gui

I did take a look at the README dir - I will check my confg on the forwarder

Thanks,

Eholz

woodcock · ‎05-10-2019

Show us the contents of each inputs.conf and outputs.conf file and which server has it.

Data not readable on receiver

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?