Note as for Jan 31 this is no longer valid.
Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...
You can send data into your Splunk Cloud via forwarder by doing the following:
input-.splunk6.splunktrial.com
for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf
[tcpout]
defaultGroup = sandbox
[tcpout:sandbox]
server = input-khourihan-sje-0.splunk6.splunktrial.com:9997
You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.
More references:
https://www.splunk.com/view/SP-CAAAM3U
I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.
This process has been greatly simplified in recent weeks.
You can now download an app which you can install into a universal forwarder from the sandbox instance itself.
After logging into your instance, click on the "Universal Forwarder" app from the launcher page.
From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.
Also,
The answers given above were valid at the time of writing but recently we secured all data inputs with a unique SSL certificate and key for each instance so you cannot just manually add the config files and make it work anymore. You have to download the universal forwarder app which has the required credentials embedded.
If you switch to the preconfigured forwarder app, you should remove all the manual forwarding you may have done before (like the outputs.conf in $SPLUNK_HOME/etc/system/local).
Remarks :
- no need to setup the forwarding using the installer option on windows (skip the step), or the Command line and install options.
- You still need to create inputs for your events, but can look at the data in index=_internal and splunkd.log to check.
Note as for Jan 31 this is no longer valid.
Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...
You can send data into your Splunk Cloud via forwarder by doing the following:
input-.splunk6.splunktrial.com
for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf
[tcpout]
defaultGroup = sandbox
[tcpout:sandbox]
server = input-khourihan-sje-0.splunk6.splunktrial.com:9997
You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.
More references:
https://www.splunk.com/view/SP-CAAAM3U
I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.
Hi Raghu,
If I read your server name correctly (and note everyone else can see it)
[tcpout]
defaultGroup = default-autolb-group,sandbox
[tcpout:default-autolb-group]
disabled = false
server = cdcxvt0765.conway.prod.con-way.com:9997
[tcpout:sandbox]
disabled = false
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997
Thanks for giving setting and sorry about the font, it was unintentional 🙂
I tried the settings and still no result.
Q - for
[tcpout:splunk_cloud]
disabled = false
server = ?
Did you get the server name from "Splunk server name" in the general settings ?
Raghu
@Raghu,
Try following this format: (use a comma not two entries)
[tcpout]
defaultGroup = splunk_cloud,sandbox
[tcpout:splunk_cloud]
disabled = false
server = i1.blah.splunkcloud.com:9997,i2.blah.splunkcloud.com:9997,i3.blah.splunkcloud.com:9997
[tcpout:sandbox]
disabled = false
server = input-khourihansplunk-blah.splunk6.splunktrial.com:9997
PS those fonts you used are awesome!
ok then thats exactly the one I had changed. But it did not work
[satibsvc@cdcxvt0765 local]$ cat outputs.conf
[tcpout]
defaultGroup = sandbox
[tcpout:sandbox]
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997
[satibsvc@cdcxvt0765 local]$ pwd
/opt/eicoe/splunkforwarder/etc/system/local
[satibsvc@cdcxvt0765 local]$
@Raghu, you make the modification to ./splunkforwarder/etc/system/local/outputs.conf
afterwards don't forget to restart your forwarder.
OR
Can I change a different output.conf. Other output.conf available are
./splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf
./splunk/etc/system/default/outputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/outputs.conf
./splunk/etc/apps/SplunkForwarder/default/outputs.conf
./splunkforwarder/etc/system/local/outputs.conf
./splunkforwarder/etc/system/default/outputs.conf
./splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf
OR
something else ??
Please advice ?
Raghu
When I installed the splunk forwarder in Unix I did not see the folder local under /opt/splunkforwarder/etc/apps/search/
So does this mean I have the wrong install? I installed splunkforwarder-6.1.2-213098-Linux-x86_64.gz
OR
Does does this mean I missed a configuration step?
edited the answer for you
The hostname in your forwarder outputs.conf file must be prefixed with input-
, i.e., you take the sandbox web interface hostname and prefix input-
to the front, e.g., your example about should use input-khourihan-sje-0.splunk6.splunktrial.com:9997
instead of khourihan-sje-0.splunk6.splunktrial.com:9997
.