I fear I'm suffering from a number of interrelated issues. The top most issue is that no data is coming through from my forwarder to my Splunk Light Cloud instance.
My setup is as basic as I can imagine:
I am demo-ing a Splunk Light Cloud instance.
I have created a single account.
I have downloaded the universal forwarders for windows, and installed it on my local machine.
I have downloaded the credentials file
From within Splunk, I can see that my forwarder is "phoning home", so at least that much is working. But there isn't any data coming through.
When I try to install the credentials,
splunk install app "C:\Users\brian.TREES\Downloads\splunkclouduf.spl" -auth user:pass
I get the error Login Failed . I have triple checked that the user:pass I am using works, by logging into the portal again. I don't see anywhere where this might be configured. There is only the one user that I can see.
From somewhere else on this forum, I saw a possible answer to my main problem (that no info is being forwarded) here: https://answers.splunk.com/answers/400954/how-to-troubleshoot-why-a-universal-forwarder-is-n-2.html
But unfortunately, it suffers from the same problem.. I can't login
splunk add forward-server -auth user:pass
So I guess the main question is, what do I do about this Login Failed problem? Is this NOT the credentials I use to log into the Splunk cloud instance? If not, where do I set-up new users in the interface ?
Once this Login hurdle is passed, am I on the right track, for my most basic situation?
Thanks
Edit 10-13-2016 9:45am
All issues with UniversalForwarder authenticcation have been resolved, per my comment below. However, the issue remains that no data is being sent to the Cloud Light instance. I have added an outputs.conf file (as an experiment) with the content:
[tcpout:group1]
server=prd-p-{REDACTED}.cloud.splunk.com:9997
I'm not the least bit certain about the port number, but that seems to be what the examples show. Its not working, though, because I'm getting this error in my splunkd.log :
10-13-2016 09:38:39.279 -0500 WARN TcpOutputProc - Cooked connection to ip=XX.YY.ZZ.29:9997 timed out
Edit 10-13-2016 9:50am
Well, this is new. Probably new since I fixed the credentials problem yestreday afternoon, but, when i look at Manage Indexes, I now see that some data is being loaded...
asdf Edit Delete Disable 3 MB 5 GB 15K 13 days ago 25 minutes ago 5 days
I've got some 15K events in my index! But when I head to the search tab....it still tells me:
No data has been added. Please add data.
... View more