Hello All,
I have a question. It seems that I am unable to correctly configure a relationship from
a server which has the Universal Forwarder installed (and acts like it is forwarding data)
On the forwarder I have inputs set to a log file, and outputs set to the Splunk Enterprise Server.
I have attempted to (via the web interface and the cli) to configure a "receiver" to everyone's favorite port: 9997.
I have not configured any thing in "Data Inputs" or "Monitoring" on the Splunk Enterprise server.
I get NO data from the server with the Universal Forwarder installed.
If I delete the receiver port (9997) - go to the Add Data area, select Monitor - and then add port, ip, a generic one line sourcetype,
and an index - I get data in, but all unreadable slashes and zeros, etc.
So my question is - what am I missing here?
Thanks
eholz1
Your outputs.conf on the UF should only have this:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997
You also need an inputs.conf like this in your indexer:
[splunktcp://9997]
Your outputs.conf on the UF should only have this:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997
You also need an inputs.conf like this in your indexer:
[splunktcp://9997]
Hello Mr. Woodcock,
I do still have questions. The universal forwarder seems to be OK. Will incorporate your changes. I may be going to the wrong place to get, or setup the data on the Indexer.
I assumed that part of the configuration on the indexer is: Go to settings, then "Receiving and Forwarding" and set the TCP port there for receiving. When I do this I do not get any data. If I delete this setting, and go to "Settings", Data Input, and monitor Local TCP/UDP,
I get data. If I go down to the :Forwarding and Receiving section in Data Input, I get no data using "get forwarded" data. I am guessing that is lower section in the dialog window is really for an indexer that is set up as a receiver or forwarder. Is this correct?
And - thanks for the post, it is very helpful
eholz1
One more note - followed your suggestions, and after restarting the Uni Forwarder and the splunk indexer.
with your suggestions, it actually works! I am in shock. Now for my field extractions!
Thanks Again,
eholz1
Will do:
These files are in /opt/splunkforwarder/etc/system/local
From the server with Universal Forwarder installed:
outputs.conf:
[tcpout]
defaultGroup=cacti_index
[tcpout:cacti_index]
server=10.48.11.69:9997, cacti_index:9996
[tcpout-server://10.48.11.69:9997]
inputs.conf - file is empty no entres only [default]
if I do a ./splunk list monitor it shows the file that I want to monitor
I have a file: deployement.conf:
[target-broker:deploymentServer]
targetUri = 10.48.11.66:9997
On the Splunk Enterprise Server:
configured from the web gui
I did take a look at the README dir - I will check my confg on the forwarder
Thanks,
Eholz
Show us the contents of each inputs.conf and outputs.conf file and which server has it.