Splunk Search

splunk forwarder is starting but not appearing in "Select Forwarder" Page

ominfo
Explorer

I am trying to setup a universal splunk forwarder but I think I am missing something.
On restart splunk forwarder is starting? here is attached screenshot
alt text

but in Select Forwarders screen its not appearing. here is attached screenshot
alt text
I think i am messing up with outputs.conf.
Any help would be appreciable

Tags (1)
0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

You most likely forgot to tell your UF where your central Splunk instance is located. On a Windows UF, you could do this during installation (it's asking for a Deployment Server IP).
After installation, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe set deploy-poll IP:8089, where IP is the IP/hostname of your central Splunk instance.

Alternatively, and cleaner for later management, would be to go to Splunk UF install directory, go to subdirectory etc/apps, create a new directory deploymentclient-config, create a subdirectory default, create a file named deploymentclient.conf, put this in the file:

[deployment-client]

[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089

Again, replace it with your IP/hostname.

If that doesn't work, check for a firewall issue between UF and central Splunk.

View solution in original post

xpac
SplunkTrust
SplunkTrust

You most likely forgot to tell your UF where your central Splunk instance is located. On a Windows UF, you could do this during installation (it's asking for a Deployment Server IP).
After installation, go to Splunk UF install directory, go to subdirectory bin, run splunk.exe set deploy-poll IP:8089, where IP is the IP/hostname of your central Splunk instance.

Alternatively, and cleaner for later management, would be to go to Splunk UF install directory, go to subdirectory etc/apps, create a new directory deploymentclient-config, create a subdirectory default, create a file named deploymentclient.conf, put this in the file:

[deployment-client]

[target-broker:deploymentServer]
targetUri = deploymentserver.splunk.mycompany.com:8089

Again, replace it with your IP/hostname.

If that doesn't work, check for a firewall issue between UF and central Splunk.

ominfo
Explorer

Thanks a lot for replying..

I made required changes and restarted splunk
I am getting below message in var/logs/splunk

05-01-2018 11:14:19.763 +0530 WARN  TailReader - Could not send data to output queue (parsingQueue), retrying...
05-01-2018 11:14:26.129 +0530 WARN  TcpOutputProc - Cooked connection to ip=10.1.1.200:9997 timed out
05-01-2018 11:14:26.229 +0530 WARN  TcpOutputProc - Cooked connection to ip=34.224.249.175:9997 timed out
05-01-2018 11:14:30.228 +0530 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
05-01-2018 11:14:39.727 +0530 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
05-01-2018 11:14:39.727 +0530 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=77.394 seconds.
05-01-2018 11:14:42.229 +0530 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

xpac
SplunkTrust
SplunkTrust

Okay, your connections time out. In 99% of all cases, this is a firewall related problem, because firewalls tend to silently drop requests that are not allowed, creating timeouts when trying to connect.
You should check with your network security people, they're most likely able to help you.

0 Karma

ominfo
Explorer

I opened 8089 port from firewall
for both inbound and outbound calls

I am configuring a splunk cloud with a universal forwarder in my local machine.
I think i am providing wrong deployment server.

I provided domain of splunk cloud url as deployment server. is that correct?

0 Karma

xpac
SplunkTrust
SplunkTrust

Ah, I missed the part about Splunk Cloud.

The docs say this:

To enable you to use Splunk Web to
manage forwarders and configure data
inputs) In the Deployment Server
dialog, enter your Splunk Cloud
hostname in the Hostname or IP field.
Specify the URL provided in your
Welcome email, omitting the leading
https:// and preceding the URL with
"input-". For example:
input-prd-p-z41nh2qlt7cx.cloud.splunk.com.
(Note: When you install the universal
forwarder on other platforms, you must
configure the deployment server/client
settings manually by editing .conf
files. On Windows, this logic is
included in the installer.)

Check this: https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/User/ForwardDataToSplunkCloudFromWindows

0 Karma

ominfo
Explorer

Great... it worked
Many many thanks man..

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...