Hi,
I'm new to Splunk and I'm trying to set up a Universal Forwarder to forward some data to our Splunk server.
The guys who set up our present Splunk svr can't really help me as they've so far only used Splunk on *ix environment and this is the first UF on a Windows server.
I'm trying to get the UF to forward events that are periodically saved in data-files in a specific directory to our Splunk server.
Source data directory is : C:/datafile/
Destination server is : splunksvr.intranet.local
I installed the forwarder using the splunkforwarder-5.0.8-201809-x64-release.msi.
I can see a lot of things in the logs, but I don't know how to make much sense of some of it.
I found this in splunkd.log
09-15-2014 11:48:11.371 +0200 ERROR TcpOutputProc - **LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.**
09-15-2014 11:48:16.441 +0200 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
One problem is, there are several "outputs.conf", so how do I know which one it's looking for?
I configured "${installdir}/etc/system/local/outputs.conf"
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunksvr.intranet.local:9997
[tcpout-server://splunksvr.intranet.local:9997]
There are others in "${installdir}/etc/system/default" and I don't know where else right now.
I also found an app.conf in "${installdir}//etc/apps/MSICreated/local/"
I've read the doc&help, tried the kb and also here but I couldn't find a solution.
I'd appreciate any help.
Serge
... View more