Developing for Splunk Enterprise

Why are forwarders not showing up in Add Data - Forwarded Inputs or Deployment Monitor?

BriscJam
New Member

I'm very new to Splunk and trying to figure some things out on my LAN. I managed to get one of the other PC's to send data to my Splunk Enterprise via LAN monitoring, but the PC does not appear as a Forwarder. I've set up my machine to listen on the default port of 9997, and set the Forwarder to send data on the same port to my IP. I've followed the steps listed for enabling a receiver and set up forwarding and receiving and I've restarted both iterations of Splunk (Enterprise and the Forwarder) more times than I care to recount, yet I still have no Forwarder showing when I try to add data from Forwarders. Am I missing something? Do I need to use the CLI to change something rather than the GUI?

Thanks for any and all help!

James

0 Karma

emikulic
Explorer

Try seeing if your are getting intputs from the host you are expecting in the _internal index on your indexer in search:

index=_internal host=windowsserver01

If the indexer has data from that host I believe it would show up there.

emikulic
Explorer

You can also check inbound EventsPerSecond or Kbps similarly:

index=_internal "group=thruput" host=myhosts* | timechart avg(instantaneous_eps) by host span=1m

or

index=_internal "group=thruput" host=myhosts* | timechart avg(instantaneous_kbps) by host span=1m

naturally you'd check these in a real-time or short window if you are looking for what is happening at that minute.

0 Karma

BriscJam
New Member

Further digging has shown that the Forwarding PC is not sending anything other than keep alive data to the Receiving machine, and that's what I'm seeing in my searches. Perhaps I need to rephrase my question:

Where do I start troubleshooting the connection between Forwarding and Receiving, GUI or CLI? Is there anything else I need to do besides following the Enabling a Receiver and Set UP Forwarding and Receiving tutorials?

FYI, the Forwarding machine is running Windows 8 64-bit and the Receiving machine is running Windows 7 64-bit.

0 Karma

jtaylor67
New Member

I'm in the very same boat. I can see the traffic coming in on port 9997 using tcpdump, but I cannot see the forwarders at all on the Add Data panel. I'm very new to Splunk (just this week). I see this post was back in February - did you ever get it to work?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!