Hello, I deployed a free trial of Splunk Cloud instance to learn how to onboard logs into Splunk. I tried for hours but I am still unable onboard logs.
Here is what I did...
Spun up a Splunk Cloud instance (pretty straightforward).
Downloaded the Splunk Universal Forwarder (pretty straightforward).
Installed Splunk universal forwarder on my local windows machine 1. Unchecked Splunk on-prem as this is a cloud instance. 2. It asked to create a username and password, I created some crap login details and I don't know why these are for. 3. I chose a local installation not network or domain. 4. It asked for what logs do I need, I chose all except AD logs because mine is local. 5. Now I asked for the location of the deployment server and port. I used my deployment server and left port blank as it takes 8089. 6. Now I wasn't asked for any receiver server details here, which I say in youtube videos for others its asking for receiver server details. 7. Now, click on the install button and installation is successful.
Back to the Splunk cloud instance, I went to Data Inputs
Choose Windows Events and added my workstation hostname in there (it's displaying in here).
I picked to add to index main.
Now it says all done, start searching.
I tried searching and nothing comes up in the server for index=main or host=myhostname
I tried going to the forwarding and receiving section and there there is the only an option for configuring forwarding but there are no receiving options.
Also, in my windows I went to C:\Program Files\SplunkUniversalForwarder\etc\system\local and there is no outputs.conf file here.
There are deploymentclient.conf, authentication.conf, server.conf and input.conf files but there is no outputs.conf.
Can anyone tell me what I have done wrong? Why am I not able to onboard my logs?
I also temporarily disabled my firewall to see if my firewall is blocking but that's not the case and I am able to telnet to the splunk cloud instance.
... View more