I am trying to send logs through UF to my Stand alone instance but data is not getting forwarded.
I have UF installed in one of my test server and added inputs.conf,outputs.conf and set deployment.conf then restarted my splunk service in test server.In my stand alone instance i have created index.
index = test_index
sourcetype = cenere
Should there be any configuration setup in my standalone instance?I dont see serverclass defined in my standalone instance .
Any other configurations needs to be added?
Make sure your forwarder can also resolve your standalone FQDN, if not replace it for the IP on your outputs.conf.
Theres also something weird about config files locations. Can you please verify if thats correct? Usually, the UF path for these config files would be something like /opt/splunkforwarder/... but you have opt/app/splunk/splunk/etc/system/local
If/when you want to use deployment server then you should create app for these configurations instead of put them to system/local. And even if not, use still an app for easier management.
You could test with
curl -vk telnet://your.spl.IDX.name:9997
that tells if it can
- resolve your server name
- connect to it
And as @alemarzu said usually path contains splunkforwarder if you are using UF. If it contains splunk then this is normally HF.
Before your UF can send to IDX you must enable it’s listening/receiving, it default is not to receive.
Hi @Ashwini008 from UF to indexer, the ping and "telnet <receiving-port>" works fine ah?
as @richgalloway said, on splunk indexer, did you enable receiving? at what port?
any firewall rules between UF to indexer?
are the other UF's sending logs to indexer fine?
Did you enable receiving on the standalone instance?