Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cannot See Universal Forwarder from Splunk Enterprise

tclotworthy
New Member
‎03-31-2017 09:55 AM

Hello,

I have installed splunk enterprise in a windows environment. I have installed Universal Forwarder on a separate machine. Before running the ./splunk add forward_server command (to add the indexer), I ran ipconfig from the windows box where splunk enterprise is. Using that IPv4 address (lets call it xxx.xx.xxx.xxx). I then successfully pinged that address from where I installed the forwarder (a linux machine). Then, using the default forwarder port (9997), I ran the command as:

./splunk add forward-server xxx.xx.xxx.xxx:9997

which ran successfully. I then restarted forwarder like:

./splunk restart

and the forwarder successfully restarted. I verified that the outputs.config file in the splunk_home/etc/system/local had the correct settings:

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxx.xx.xxx.xxx:9997

[tcpout-server://xxx.xx.xxx.xxx:9997]

I then logged into the splunk enterprise web interface, and selected "Add Data" link, and then the "forward" link. At the top is says "Select Forwarders", but beneath that there is a red triangle that says "There are currently no forwarders configured as deployment clients to this instance".

Am I doing something wrong? If so, how do I diagnose and correct? Grateful for any response!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎03-31-2017 10:49 AM

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎03-31-2017 10:49 AM

There are couple of point here
1. enable listening on the indexer: Settings -> Forwarding and Receiving -> Configure Receiving -> new -> add port 9997
2. now, check if data is coming from forwarder by searching: index = _internal host=<yourForwarder> | head
3. if the data is there, you are good to proceed to add the forwarder as a Deployment Client (if you wish to) if not, check this doc for further troubleshooting: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata
4. to add the forwarder as a deployment client, use the following commmand on the forwarder

splunk set deploy-poll <IP_address/hostname>:<management_port>
splunk restart

more details here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Updating/Configuredeploymentclients
5. now navgaite to settings -> Forwarder Management and see your forwarder
Hope it helps

Reply
Solved! Jump to solution

tclotworthy
New Member
‎04-03-2017 05:51 AM

thanks for reply adonio. I have successfully set up my universal forwarder as a deployment client by following your directions.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2017 10:32 AM

In Splunk Enterprise GUI, go to Settings->Forwarding and Receiving and click Configure Receiving. Verify your forwarder is listed there. If it isn't, click the New button to tell Splunk to listen on the right port.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...