Getting Data In

Forwarder configuration to forward os data

mkashif
Explorer

Hello,

How can I install and configure a forwarder at my windows machine to transfer OS data (cpu load, memory etc) to my splunk indexer (running at a solaris machine).

I want windows machine data to be displayed in my NIX app at my indexer.

Guide me about what configurations would i have to make for this. Also about would i need a universal forwarder for this or a light forwarder?

Regards,

Tags (1)
0 Karma
1 Solution

mw
Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

View solution in original post

0 Karma

mkashif
Explorer

Thank you for your answer dear,

I have installed the forwarder at windows machine and my perfmon data is being shown in my indexer when i perform a search by ip address.

The problem i am getting was that the data is not being shown in nix app which u have answered that windows data is not supported in nix app.

I have deployed another forwarder at a Solaris machine but its data is also not being shown in NIX. As I understand it might be the problem in configuration.

What I did is just installed the universal forwarder at machine and have configured the port in its output.conf file. The data of this machine is also being shown when i perform a search by ip however the host is not being listed under host list in NIX app. Do i have to make any further configurations in it ?

Regards,

0 Karma

mw
Splunk Employee
Splunk Employee

Did you configure any inputs on the Solaris machine? If not, you can deploy the full Unix app to the Solaris machine, and enabling the inputs. (i.e. copy the desired stanza headers from default/inputs.conf to local/inputs.conf and setting disabled = false)

0 Karma

mw
Splunk Employee
Splunk Employee

You'll have to configure your indexer to receive data. Install the Windows Universal Forwarder and set it to forward to the indexer (you should be prompted to do this during the install, but here's the doc: http://www.splunk.com/base/Documentation/4.2.1/Deploy/Configureforwarderswithoutputs.confd ). During the install you can also enable Perfmon inputs, but I believe there's a bug right now in the installer where the Perfmon inputs won't actually be created, so I think you'll have to do it by hand -- http://www.splunk.com/base/Documentation/latest/Admin/Perfmonconf .

However, the Windows data won't show in the nix app. You'll want to install the Windows app on the search head.

0 Karma
Get Updates on the Splunk Community!

Testing out the OpenTelemetry Collector With raw Data

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...