Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can't see list of Forwarders on Search Head?

Gregski11
Contributor
‎12-28-2022 04:15 PM

despite having a local\outputs.conf file properly populated with 6 Indexers one of our non clustered Search Heads does not show anything under Forward data as defined in the Web GUI

any suggestions where and how to check what is over writing this 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-28-2022 05:03 PM

The outputs.conf file tells a Splunk instance where to send its data.  It does NOT tell a SH what or where any forwarders are. 

You can use the Monitoring Console to see your forwarders, but you'll have to enable Forwarder Monitoring first in the Settings menu.

---
If this reply helps you, Karma would be appreciated.
Reply

Gregski11
Contributor
‎12-30-2022 07:07 AM

Hi Rich, sorry about that poor choice of words on my part, though Splunk does make it a bit confusing in the Web UI, so it's under Settings \ [DATA] Forwarding and receiving and then under the Forward data section you click on Configure forwarding

 

 

 

Preview file
106 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2022 09:38 AM

The Configure Forwarding page is where one tells that Splunk instance (SH, in this case) where to forward data.  It's an alternative to editing an outputs.conf file on that server.  The page has no bearing on your heavy or universal forwarders.

There is the Settings->Forwarder Management page for managing forwarders, but that should only be used on your Deployment Server.

What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
Reply

Gregski11
Contributor
‎12-31-2022 05:55 AM

one of our Search Heads though it has a local\outputs.conf file with 6 Indexers listed in it, does NOT show any listed on the Forwarding and receiving Web UI page, like all our other Search Heads and I can't figure out why that is 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-03-2023 08:07 AM

Try to run btool in your user's context to see if the outputs setting is visible.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2023 06:41 AM

Interesting.  I don't know why that would be.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...