Hi all, I did read and try numerous if not all the subject similar to mine.
I installed a Deployment Server on my Splunk Enterprise Server.
I followed the tutorial and made the "sendtoindexer" app following Splunk App for Windows Infrastructure 1.4 documentation. Everything works fine. I did put the "Splunk_TA_Windows" in the correct folders on Deployment Server.
Infact everything works perfectly, except that my Universal Forwarder on the Deployment client doesn't use the outputs.conf from the "sendtoindexer" app...
The outputs.conf file is in the folder
When I'am looking at the splunkd.log on the UF I do have this....
02-11-2019 15:16:04.947 +1100 ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
02-11-2019 15:16:16.497 +1100 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
02-11-2019 15:16:22.364 +1100 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...
02-11-2019 15:16:28.497 +1100 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
I admit the message "Please configure outputs.conf" is pretty obvious but can't solve my problem....
but when i troubleshot with "splunk btool outputs list --debug" there's no use of the file:
I did restart, uninstall/install multiple times the UF, but it never works, I can't see any logs in my Splunk Enterprise instance.
But when I just copy the outputs.conf file from
C:\Program Files\SplunkUniversalForwarder\etc\apps\sendtoindexer
to C:\Program Files\SplunkUniversalForwarder\etc\system\local
and restart my UF, everything works fine and the logs are sended to my splunk instance....so no network problems... and the debug command show the stanzas from the conf file.
So the conf file is OK....
I'am pretty lost right now...made so many tests...
Help please.
... View more