Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jamiemfuse
jamiemfuse
Explorer
Member since:
01-12-2013
06-05-2020
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 01-12-2013 |
Activity Feed
- Got Karma for First install problem - Use a deployment server OR a receiving indexer- Which one? Why?. 06-05-2020 12:46 AM
- Got Karma for First install problem - Use a deployment server OR a receiving indexer- Which one? Why?. 06-05-2020 12:46 AM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-17-2013 02:29 AM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:54 PM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:53 PM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:21 PM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:21 PM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:21 PM
- Posted Re: First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 12:20 PM
- Posted First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 09:13 AM
- Tagged First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 09:13 AM
- Tagged First install problem - Use a deployment server OR a receiving indexer- Which one? Why? on Getting Data In. 01-15-2013 09:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 |
01-17-2013
02:29 AM
Thanks everyone. I have followed the example in the link above and changed the serverclass.conf and output.conf and input.conf where necessary. I now have a basic setup working with one server acting as combined deployment server and indexer. I am collecting windows event logs and a jboss access log. I am doing this as a proof of concept and have more logs and servers to include so I know I will have more questions, especially on congestion and throughput because we can top 1GB of logs an hour per webapp server (multiple by many webapp servers), but I will open these as separate questions.
There is a wealth of documentation on splunk-base which is great except I think for the new starter it is almost overwhelming. I used one of the videos to see a deployment server install which made for an easy to follow tutorial. However there was then no follow up video for adding adding remote data (only local data) unless I missed it somehow. So I do think that although the docs are thorough, there would be benefit to having a single track of different example tutorials that you can just follow along with if your are just starting Splunk.
The data I now see on my indexer is impressive, although again almost overwhelming. I need to learn how to "index" properly perhaps, it has done it by default so far. Also need to learn how to find the most valuable bits, get the dashboards and alerts up. Anyway, so long as it can take the throughput we need to throw at it, it will certainly be a very powerful tool.
Thanks again,
Jamie
... View more
01-15-2013
12:54 PM
I've just seen this...
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Extendedexampledeployseveralstandardforwarders
...it seems as close as I can find to a simple end-to-end walk through example for new people like me. I'd hoped to have seen something similar that would be all gui based but looks like file editing is a must? Personally that's ok, I do a lot of file editing with Nagios but it's a harder sell for the rest of my team.
... View more
01-15-2013
12:53 PM
I've just seen this...
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Extendedexampledeployseveralstandardforwarders
...it seems as close as I can find to a simple end-to-end walk through example for new people like me. I'd hoped to have seen something similar that would be all gui based but looks like file editing is a must? Personally that's ok, I do a lot of file editing with Nagios but it's a harder sell for the rest of my team.
... View more
01-15-2013
12:21 PM
I now want to create a really simple config on the deployment server that it can pass to the client when he calls home. I presume the config should contain the indexer address and port and the log name/type to be pushed up to the indexer. It looks like I need to define a "server class" and then a "client config"? Is that right? Could you shed some light on where and how to do that, or a doc that gives a nice example?
Thanks,
Jamie
... View more
01-15-2013
12:21 PM
I've read through more documentations coming from the links you gave but a couple of hours later and again I'm struggling. (And by the way I'm about 8 years in IT so which is why I'm so annoyed with myself that I can't get this to work!) I'm just finding that there is almost too much info in the docs, I'm looking for some simple blog-style "I set this up" path of info but not finding it. So you could please give me a few more pointers that would be great.
... View more
01-15-2013
12:21 PM
tcp 0 0 10.64.73.210:8089 10.64.73.16:50080 ESTABLISHED
18:50:04
tcp 0 0 10.64.73.210:8089 10.64.73.16:50117 ESTABLISHED
18:57:30
tcp 0 0 10.64.73.210:8089 10.64.73.16:50123 ESTABLISHED
18:58:42
tcp 0 0 10.64.73.210:8089 10.64.73.16:50129 ESTABLISHED
18:59:55
... View more
01-15-2013
12:20 PM
Thank you for this. You have definitely moved me forward a bit. I get the difference between the deployment server and the index server now. Ideally I want my proof-of-concept server to do both jobs.
I reinstalled the universal forwarder again with only the deployment server details and yes you were right it is calling home every once in a while, here is the comms on the deployment server:
... View more
01-15-2013
09:13 AM
2 Karma
Hi all,
I am trialling Splunk and installing it for the first time. I have installed the main Splunk server without problems and found the documentation and videos both useful and very applicable.
However I have been struggling for several hours trying to get the universal forwarded installed and working. And I cannot find any "useful" documentation. I may well have missed something obvious, in fact I hope that is the case.
First time I installed the universal forwarder I configured it to use the deployment server and gave server address and checked the standard 8089 port was listening on the server and that the client can reach it (they are on the same subnet). But netstat showed no comms between the two. So I uninstalled the universal forwarder and reinstalled to point to the server at a listener port. I then realised that this port is not listening on the server - but I though the docs suggested that would be a default listening port at 9997?
So now I am about to set up a port on 9997 on the server. But I am asking myself, why am I doing this? What is the advantage / disadvantage of using a listener or a deployment server port to speak to the client's universal forwarder? It's not clear and I'm getting a bit frustrated with Splunk to be honest.
I am running the server on Ubuntu server 12.04 and the Universal forwarder is on a client running Windows server 2008 R2 core. We have a mixed server environment. I understand that I may need to install the windows app on the server to allow correct indexing?
So if someone could explain to me why should I use deployment server versus receiving indexer? And if I definitely need to install the windows app before I receive the data? Or call me a fool for missing some step by step and/or video demo of someone setting up the universal forwarder?
Any help would be much appreciated.
Thanks,
Jamie
... View more
