So I am experiencing an oddity with Splunk and I am hoping it is just something I am overlooking.
I have an indexer that also acts as a deployment server (Linux) and I am using a test client (Windows). On the deployment server, I create two apps, Splunk_TA_windows and sendtoindexer. I created the inputs.conf in the local folder of the Splunk_TA_windows app:
[WinEventLog://Application]
disabled = 0
index = wineventlog
[WinEventLog://Security]
disabled = 0
index = wineventlog
[WinEventLog://System]
disabled = 0
index = wineventlog
And the outputs.conf in the local folder of the sendtoindexer app:
[tcpout]
disabled = false
defaultGroup = default-autolb-group
[tcpoutput:default-autolb-group]
server = hostname:9997
[tcpout-server://hostname:9997]
On Forwarder Management, I set the whitelists/blacklists so that the test machine is targeted to get both of these apps. When looking at the Server Class page, at the bottom under Clients, I see my test server and that under Deployed Apps I see 2, so that's good, but in the middle of that page under Apps, it shows both of my apps, and under the Clients column it shows 0 deployed for both.
Anyways, when checking the SplunkUniversalForwarder/etc/apps folder on the client machine I see both apps are deployed as expected. However, when I perform a search checking for either the hostname of the client or the index I set in the inputs.conf file, I do not get any results.
Any help would be appreciated. Let me know if anything I said didn't make sense or if more information would be useful.
... View more