Hey Guiseppe,
apologies, to clarify...
07-29-2019 10:37:42.100 -0700 INFO TcpOutputProc - Connected to idx=x.x.x.x:9997, pset=0, reuse=0.
07-29-2019 10:37:58.589 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:37:58.589 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed
07-29-2019 10:38:14.324 -0700 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_x.x.x.x_8089_ip-x-x-x-x-.ec2.internal_myWorkStation_...
07-29-2019 10:38:16.034 -0700 WARN TcpOutputFd - Connect to x.x.x.x:8000 failed. No connection could be made because the target machine actively refused it.
07-29-2019 10:38:16.034 -0700 ERROR TcpOutputFd - Connection to host=x.x.x.x:8000 failed
I've validated the logs, it does say 9997 is connected and to my multiple indexer clusters which is what I want. I dont know why it's trying to connect to my splunkcloud.com web UI, i just assume since it's failing i should make sure it's successfully establish a connection. Regardless I dont see logs under my splunk cloud instance at all.
my inputs file is quite straight forward...
inputs.conf (SPLUNKHOME\etc\apps\Splunk_TA_windows\local)
[WinEventLog://Security]
index=security
current_only=1
evt_resolve_ad_obj=0
renderXml=1
disabled=0
so when I go into SplunkCloud i expect to see index=* or index=security, i've manually created the index in splunk cloud already.
... View more