Splunk Enterprise

How to configure UF to send data to splunk stand alone instance?

Ashwini008
Builder

I am trying to send logs through UF to my Stand alone instance but data is not getting forwarded.

I have UF installed in one of my test server and added inputs.conf,outputs.conf and set deployment.conf then restarted my splunk service in test server.In my stand alone instance i have created index.

Outputs.conf (opt/app/splunk/splunk/etc/system/local)

[tcpout]

defaultGroup=group1

 [tcpout:group1]

server=mysplunkhost.com:9997

inputs.conf (opt/app/splunk/splunk/etc/system/local)

[monitor:///folder/upload/cen*]

index = test_index

sourcetype = cenere

disabled=false

Should there be any configuration setup in my standalone instance?I dont see serverclass defined in my standalone instance .

Any other configurations needs to be added?

Thank you

alemarzu
Motivator

Hi @Ashwini008 

Make sure your forwarder can also resolve your standalone FQDN, if not replace it for the IP on your outputs.conf.

Theres also something weird about config files locations. Can you please verify if thats correct? Usually, the UF path for these config files would be something like /opt/splunkforwarder/... but you have opt/app/splunk/splunk/etc/system/local

 

isoutamo
SplunkTrust
SplunkTrust

Hi

If/when you want to use deployment server then you should create app for these configurations instead of put them to system/local. And even if not,  use still an app for easier management.

You could test with

curl -vk telnet://your.spl.IDX.name:9997

that tells if it can

- resolve your server name

- connect to it 

And as @alemarzu said usually path contains splunkforwarder if you are using UF. If it contains splunk then this is normally HF. 

Before your UF can send to IDX you must enable it’s listening/receiving, it default is not to receive.

r. Ismo

inventsekar
SplunkTrust
SplunkTrust

Hi @Ashwini008 from UF to indexer, the ping and "telnet <receiving-port>" works fine ah?

as @richgalloway said, on splunk indexer, did you enable receiving? at what port?

any firewall rules between UF to indexer? 

are the other UF's sending logs to indexer fine?

 

richgalloway
SplunkTrust
SplunkTrust

Did you enable receiving on the standalone instance?

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...