I have installed a universal forwarder on a Windows server, choosing to forward some of the Windows event logs, and then installed the credentials using the following command:
C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe install app C:\splunkclouduf.spl -auth admin:changeme
I then received a message in my instance that stated "splunk received event for unconfigured/disabled/deleted index=‘wineventlog’" so I created an appropriate index named wineventlog.
However, I am sill unable to create a 'Data Input' for 'Windows Event Logs', I always receive the message "There are currently no forwarders configured as deployment clients to this instance". I'm not sure why this is, as clearly the universal forwarder on my server is sending data to my Splunk cloud instance, otherwise I would never have received the message regarding the missing index.
I have found the majority of the Splunk documentation to be very outdated, many dead links to documentation that no longer exists or has been moved, screenshots that no longer match either the universal forwarder installer OR the Splunk Cloud interface. I'm probably missing something really silly here, I've read over lots of previous questions stating that something is missing from outputs.conf or there may be a missing deploymentclient.conf file. I have tried running:
splunk.exe set deploy-poll
and recieved:
In handler 'deploymentclient': No configuration change made.
This is a standalone Splunk Cloud instance. I am still unable to create a 'Data Input' for 'Windows Event Logs', although I can now see that there is data in the wineventlog index I created earlier (although I can't search it).
Thanks in advance,
James
... View more