Hi!

Thanks for your fast answer. Since we're trying to understand how the platform works and performs in our environment, we're using the free version for now, it will be of course upgraded in case we finally decide to use it in our enterprise.

Now we have another issue, we don't know how to reinstall Splunk and add the data inputs so, is there any guide decently explained for beginners about installing Splunk and adding data inputs such as AD in order for us to follow ?

Many thanks.

Hi @gcusello ,

Thanks again for your answers.

The installation went smoothly, and now we're facing the issue with the input data received from an AD, the Universal Forwarder had been already installed in the AD machine before reinstalling the Splunk. The configuration it had was correct and the logs were received correctly, but now they aren't. Did reinstalling the Splunk Software change the configuration in any way which made the forwarder to stop sending data ?

The Splunk is installed in a Linux machine.

Any info would be appreciated.

Thanks !

Hi @Am,

at first check  if you're receiving logs from that host, you can check this at first on internal logs and then on other logs.

If you aren't receiving any logs (also internal),  at first check if you enabled receiving in Splunk Enterprise and then check if the hostname or ip of the Splunk server is the same and if it's correctly configured in ths UF.

If instead you're receiving internal logs from that host, check if you're receiving other logs from that server.

If you don't receinve any log (except internal) check the TAs you're using for inputs on UF, if instead you're receiving other logs (not only internal) from that server you have to check other things:

If the input is correctly configurated,

if the logs are indexed in the index you're searching.

If there's an error in parsing: if the timestamp of your logs is in european format (dd/mm/yyyy) must be parsed with the correct TIME_FORMAT, otherwise Splunk uses its default format (mm/dd/yyyy).

Ciao.

Giuseppe

Hi @Am,

as I said, check if you're receiving internal logs, if yes the connection is OK, if not check if receiving is enabled [Settings -- Forwarding and Receiving -- Receiving] on the Splunk Server.

for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingforwardingagents#:~:text=Download%20Spl....

Remember always that Splunk documentation is really fantastic and you can always find the solution for your problems.

The last thing is when there's a parsing error, but it comes later, check the situation of logs:

• have you internal logs from that server,
• have you other logs from that server.

Ciao.

Giuseppe

Hi @gcusello,

We're not receiving any kind of logs, and the receiving is enabled as mentioned in the documentation (which we feel is deep enough, but also a bit tough to start from scratch with). Is there any way to reconfigure the UF in the AD machine ? (In case we mess something up and want to recover the working configuration that was there before).

Thanks !

Hi @Am,

here you can find how to configure an UF to send logs to Splunk https://docs.splunk.com/Documentation/Forwarder/8.1.3/Forwarder/Aboutforwardingandreceiving  , in other words you have to create (if not exists) a file called outputs.conf in $SPLUNK_HOME/etc/system/local and insert in it the following items:

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=<your_splunk_server_hostname_or_ip_address>:9997

[tcpout-server://<your_splunk_server_hostname_or_ip_address>:9997]

<your_splunk_server_hostname_or_ip_address> is the hostname or the Ip address of your Splunk server and 9997 is the port you configurated for receiving.

At the end you must restart Splunk on the UF (without restarting, changes aren't in use!).

You can check that's all ok with a simple search on Splunk:

index=_internal host=<your_splunk_server_hostname>

If you have internal logs, you can start the other check I hinted.

Ciao.

Giuseppe