Thanks so much for your answer! I can confirm that running the following command does indeed fix the issue for me:
splunk.exe set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089
I did install the universal forwarder using the installation wizard, and I did see the 'Deployment Server' screen. However I think the wording on that screen threw me a little. It wasn't clear to me that I had to enter my Splunk instance details in order to configure the universal forwarder to actually be a ''deployment client''. I may have even tried to enter my instance details, but missed off the 'input-' part of the URL. Again, I couldn't see any specific instructions in the documentation for this, and I may have incorrectly assumed that this would be handled as part of installing the credentials (splunkclouduf.spl), as after performing this step I checked the configuration files and could see what I thought were the correct URL's in the correct places in these files.
Thanks so much for your help, much appreciated!
... View more
I have installed a universal forwarder on a Windows server, choosing to forward some of the Windows event logs, and then installed the credentials using the following command:
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe install app C:\splunkclouduf.spl -auth admin:changeme
I then received a message in my instance that stated "splunk received event for unconfigured/disabled/deleted index=‘wineventlog’" so I created an appropriate index named wineventlog.
However, I am sill unable to create a 'Data Input' for 'Windows Event Logs', I always receive the message "There are currently no forwarders configured as deployment clients to this instance". I'm not sure why this is, as clearly the universal forwarder on my server is sending data to my Splunk cloud instance, otherwise I would never have received the message regarding the missing index.
I have found the majority of the Splunk documentation to be very outdated, many dead links to documentation that no longer exists or has been moved, screenshots that no longer match either the universal forwarder installer OR the Splunk Cloud interface. I'm probably missing something really silly here, I've read over lots of previous questions stating that something is missing from outputs.conf or there may be a missing deploymentclient.conf file. I have tried running:
splunk.exe set deploy-poll
In handler 'deploymentclient': No configuration change made.
This is a standalone Splunk Cloud instance. I am still unable to create a 'Data Input' for 'Windows Event Logs', although I can now see that there is data in the wineventlog index I created earlier (although I can't search it).
Thanks in advance,
... View more