Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About uktechnologyser
uktechnologyser
Path Finder
Member since:
01-15-2016
06-05-2020
Community Statistics
| Posts | 15 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 01-15-2016 |
Activity Feed
- Karma Re: Cant get data using the Windows App for Windows Infrastructure. for Richfez. 06-05-2020 12:47 AM
- Karma Re: Cant get data using the Windows App for Windows Infrastructure. for alemarzu. 06-05-2020 12:47 AM
- Karma Re: Having trouble cleaning index data for Ayn. 06-05-2020 12:46 AM
- Posted Re: Can i tcpout to multiple servers with output.conf file? on Getting Data In. 01-22-2016 09:15 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-22-2016 09:13 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-21-2016 09:33 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-21-2016 06:47 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-21-2016 06:04 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-21-2016 05:14 AM
- Posted Re: Why is no data being indexed after deploying the Splunk Add-on for Microsoft Windows and "send to indexer" apps? on All Apps and Add-ons. 01-21-2016 04:02 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-21-2016 03:54 AM
- Posted Re: Why is no data being indexed after deploying the Splunk Add-on for Microsoft Windows and "send to indexer" apps? on All Apps and Add-ons. 01-20-2016 09:15 AM
- Posted Re: Splunk Support for Active Directory 2.11: KeyError at ".../apps/SA-ldapsearch/bin/packages/splunklib/client.py", line 1653 : u'ssl'" on All Apps and Add-ons. 01-20-2016 09:07 AM
- Posted Re: Splunk Support for Active Directory 2.11: KeyError at ".../apps/SA-ldapsearch/bin/packages/splunklib/client.py", line 1653 : u'ssl'" on All Apps and Add-ons. 01-20-2016 04:45 AM
- Posted Re: Can i tcpout to multiple servers with output.conf file? on Getting Data In. 01-19-2016 09:19 AM
- Posted Re: Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-19-2016 08:50 AM
- Posted Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-15-2016 09:35 AM
- Tagged Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-15-2016 09:35 AM
- Tagged Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-15-2016 09:35 AM
- Tagged Cant get data using the Windows App for Windows Infrastructure. on All Apps and Add-ons. 01-15-2016 09:35 AM
Topics I've Started
01-22-2016
09:15 AM
I was told to change my outputs.conf file to this:
[tcpout]
defaultGroup = My_Cluster_1
[tcpout:My_Cluster_1]
disabled=false
server = 10.1.4.32:9997,10.1.4.33:9997
I still dont know if i have configued it right as i cant get any data from my deployment clients to my indexers. I have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.
... View more
01-22-2016
09:13 AM
Update on this, i have spoken to a support representative and they think the issue is because i have Splunk Free and NOT Splunk Enterprise installed Slams head against desk. Hopefully when i get an enterprise licence installed the clients will start sending info to the indexers.
... View more
01-21-2016
09:33 AM
Ah yes i can see it now, Although it doesn't have disabled=0 but connection_host = ip under the first line. Going to try and install the forwarder on a server that isnt a DC to see if that makes a difference. I dont think it will work, im sure there is a problem with the app configuration.
If i run the same tool for troubleshooting but replace inputs with outputs will that give me all of the outputs.conf files on the server i run it on?
... View more
01-21-2016
06:47 AM
Looking at the troubleshooting document i thought i would check the indexers input.conf file to see if its the same as they show. In $SPLUNK_HOME/etc/system/local on each indexer It should be:
[splunktcp://9997]
disabled = 0
However all i have is
[default]
host = IndexerHostName
I set up receiving in Splunk Web for each Indexer and restarted them. I have used a port query program and i can confirm both are listening on 9997 as i have defined. Strange how it isnt showing in the inputs.conf file as it should. Maybe something to do with it?
... View more
01-21-2016
06:04 AM
Yeah i've looked at the splunkd.log, cant find any errors other than the ones i have mentioned in the thread you have provided the link for.
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
I get the same error on the other DC i just installed the Universal forwarder on. Maybe i should try putting the config in the C:\Program Files\SplunkUniversalForwarder\etc\system\local inputs.conf file as it doesn't seem to pick it up from the inputs.conf on the send to indexer app?
... View more
01-21-2016
05:14 AM
Hi alemarzu,
I have made that change and my deployment client has picked up the configuration but i still cant see anything coming from the client on my search head. Wish the send to indexer app has its own log so we could figure out what's going on. splunkd just seems to show the client calling home to the deployment server and making any changes if it sees them. Is there a debug log for send to indexer or the windows infrastructure app?
... View more
01-21-2016
04:02 AM
a) My splunkd log on the deployment client says:
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
Does this mean it isnt referencing the outputs.conf file in the send to indexer app? This has the configuration telling it to tcp out to the indexers.
b) I know it isnt indexing because i cant see any files populating in the wineventlog folder on the indexers.
c) my host doesnt appear,
Interestingly if i install the Splunk_TA_windows app directly on the indexers it starts getting logs straight away and storing them locally. From there i can search them from the search head. It must be a problem with the send to indexer app.
... View more
01-21-2016
03:54 AM
This still doesn't seem to be working. in the splunkd log i get the same error that says ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf. It looks like the deployment client it isn't referencing the outputs.conf file in the send to indexer app like it should. Any ideas why it would do this?
... View more
01-20-2016
09:15 AM
How did you see the deployment client made a connection on 9997? Did you get a fix for this? I have the same problem.
... View more
01-20-2016
09:07 AM
Thanks a lot, that got rid of the error and i could successfully connect to the domain. I've never been able to get any data right from the outset when setting up the Infrastructure for windows app. There is a test data part at the end of each section but it doesn't look like my client is sending any. Is there a log i can check on my client to see if its trying to send the data? I've checked splunkd on the indexers and forwarder but cant see anything to suggest a problem.
... View more
01-20-2016
04:45 AM
I made the change you suggested and after restarting splunk it passed the configuration pre-requisite for that stage of the setup. No idea what is configured there now or how to change it. The setup is failing at the next stage of checking data. No events are being returned at all.
How do i make sure the connection to the domain is configured? I can see an option to disable the app, can i delete it? Will re-enabling it let me reconfigure it?
Cheers,
Jay
... View more
01-19-2016
09:19 AM
Thanks very much.
I have have separated my indexers out with the format you suggested. Not sure if this is working yet as i am still going through the set-up, ill let you know how i get on.
Cheers,
Jay
... View more
01-19-2016
08:50 AM
Hi Rich,
Thanks for your reply, i have added the missing indexes 'wineventlog' and 'windows' but i still cant see any data on my search head. I can see the new indexes have appeared on my deployment server and my indexers. It think maybe that my deployment client isn't sending the information? I cant see anything that looks like logs in the folders on the indexers (what would they look like?), is there a way to tell if my deployment client is trying to send the logs to the indexers? I have looked at the splunkd.log but not really sure what i am looking for to be honest. The only error i can see says:
"ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf."
My outputs.conf file locate din C:\Program Files\SplunkUniversalForwarder\etc\apps\Send_To_Indexer looks like this:
[tcpout]
defaultGroup = My_Cluster_1
[tcpout:My_Cluster_1]
server = 10.1.4.32:9997,10.1.4.33:9997
[tcpout-server://10.1.4.32:9997]
[tcpout-server://10.1.4.33:9997]
This should send the data to both indexers.
Any help appreciated.
Cheers,
Jay
... View more
01-15-2016
09:35 AM
Cant get any Data from this, setting it up with a 1 deployment app, 1 search head and 2 clustered indexers. Worked through the 'Get Windows Data' and noticed a comment on the document - http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/Confirmandtroubleshootdatacollection
"After running thru the install, I wasn't receiving events in my indexes. It appears that the input.conf from the Splunk Add-on for Windows and the indexes.conf from the Splunk App for Windows Infrastructure don't match up.
Inputs.conf from the Splunk Add-on for Windows, which I deployed to my Universal Forwarder sends the events to an index called wineventlog, but the indexes.conf file that is copied to C:\Program Files\Splunk\etc\system\local\ during the indexer setup step doesn't create that index. It only creates MSAD, PERFMON, & WINEVENTS.
I also have events on the input.conf from the Splunk Add-on for Windows that are trying to hit an index called WINDOWS.
I guess I may need to tweak either the indexes.conf file or the inputs.conf file so that the events can be correctly indexed? If I change one will it break something else?(dashboards)
BWWB
August 28, 2015"
Can anyone verify if this is the problem? I have continued onto the 'Get Active Directory Data' section and the input.conf file for this app does reference the MSAD, PERFMON, & WINEVENTS. indexes but still no data appears. Will the fact i dont have a licence installed have anything to do with this?
Thanks in advance,
Jay
... View more
01-15-2016
08:30 AM
Complete newbie to Splunk, have just setup a distributed search structure (1 deployment server, 1 search head, 2 indexers).
I am deploying the 'sendtoindexer' app from my deployment server and as part of that i need to configure the following in the outputs.conf file for the app.
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<port>
[tcpout-server://<indexer_hostname_or_ip_address>:<port>]
WIll this format work? I want to send data to both of my indexers as they are clustered. Or will that create duplicate data once they start replicating?
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.1.4.32:9997,10.1.4.33:9997
[tcpout-server://10.1.4.32:9997,10.1.4.33:9997]
I have setup receiving on the indexers already so its just the format i need to enable the forwarder(s) to send the information correctly. I am also running without a licence at the moment, we plan to purchase Enterprise this month. Would that disable any features for this type of setup?
Thanks in advance,
Jay
... View more
