Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure UF to send data to splunk stand alone instance?

Ashwini008
Builder
‎10-23-2020 12:43 AM

I am trying to send logs through UF to my Stand alone instance but data is not getting forwarded.

I have UF installed in one of my test server and added inputs.conf,outputs.conf and set deployment.conf then restarted my splunk service in test server.In my stand alone instance i have created index.

Outputs.conf (opt/app/splunk/splunk/etc/system/local)

[tcpout]

defaultGroup=group1

 [tcpout:group1]

server=mysplunkhost.com:9997

inputs.conf (opt/app/splunk/splunk/etc/system/local)

[monitor:///folder/upload/cen*]

index = test_index

sourcetype = cenere

disabled=false

Should there be any configuration setup in my standalone instance?I dont see serverclass defined in my standalone instance .

Any other configurations needs to be added?

Thank you

Reply

alemarzu
Motivator
‎10-23-2020 06:04 PM

Hi @Ashwini008 

Make sure your forwarder can also resolve your standalone FQDN, if not replace it for the IP on your outputs.conf.

Theres also something weird about config files locations. Can you please verify if thats correct? Usually, the UF path for these config files would be something like /opt/splunkforwarder/... but you have opt/app/splunk/splunk/etc/system/local

 

Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-24-2020 03:59 AM

Hi

If/when you want to use deployment server then you should create app for these configurations instead of put them to system/local. And even if not,  use still an app for easier management.

You could test with

curl -vk telnet://your.spl.IDX.name:9997

that tells if it can

- resolve your server name

- connect to it 

And as @alemarzu said usually path contains splunkforwarder if you are using UF. If it contains splunk then this is normally HF. 

Before your UF can send to IDX you must enable it’s listening/receiving, it default is not to receive.

r. Ismo

Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-23-2020 06:10 AM

Hi @Ashwini008 from UF to indexer, the ping and "telnet <receiving-port>" works fine ah?

as @richgalloway said, on splunk indexer, did you enable receiving? at what port?

any firewall rules between UF to indexer? 

are the other UF's sending logs to indexer fine?

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2020 05:52 AM

Did you enable receiving on the standalone instance?

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...