Not able to add forward-server on splunk universal...

porasm1998 · ‎07-11-2023

This is what happening,

/opt/splunkforwarder/bin # ./splunk add forward-server <splunk-server-ip>:9997

it asks for credentials after that it says "Can't create directory "/opt/splunk/.splunk ": No such file or directory

How to fix this ? Please help.

gcusello · ‎07-11-2023

Hi @porasm1998,

what is the user you're using to run this command?

anyway, you can reach the same result modifying the outputs.conf file in $SPLUNK_HOME/etc/system/local:

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://XX.XX.XX.XXX:9997]
[tcpout-server://YY.YY.YY.YYY:9997]

[tcpout:default-autolb-group]
server = XX.XX.XX.XXX:9997,YY.YY.YY.YYY:9997
disabled=false

Or (better) creating a dedicated App (called e.g. (TA_Forwarders) containing this file.

Ciao.

Giuseppe

porasm1998 · ‎07-12-2023

Hi @gcusello , Thanks for your response. I am using the root user. I've gone through $SPLUNK_HOME/etc/system/local: but in the local there only 2 files are showing up:
1. server.conf. 2. README

There's no output.conf file here.

Thanks,
Poras

gcusello · ‎07-12-2023

Hi @porasm1998,

it's normal, you have to create it, giving the same rights or the other conf files.

Then you have to restart Splunk on that machine.

Ciao.

Giuseppe

Not able to add forward-server on splunk universal forwarder

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation