Getting Data In

How do I set up a Splunk Cloud Trial (Sandbox) Forwarder?

khourihan_splun
Splunk Employee
Splunk Employee

I've noticed customers having problems with the current 6.2.1 Online Sandboxes. As of last month, the UI has changed significantly with the new upgrade.

Customers used to have to manually enter their outputs.conf, but thats changed now. How do you do it?

1 Solution

khourihan_splun
Splunk Employee
Splunk Employee

Now with the new version of Splunk, you can get your Forwarder Configuration app right from the GUI. It contains all the settings to setup security and tell the forwarder where to send your machine data.

From the Launcher app (default landing page)

Look on the left of the screen and click the forwarder app

alt text

From there you will download your forwarder config app.

alt text

Follow the instructions and you are good to go.

Inside there are a bunch of files, but notice the outputs.conf, and see the server= setting on the line below. So you aren’t using the same FQDN as you use for the UI.

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-blah.cloud.splunk.com:9997
sslCommonNameToCheck = blah.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = fdf1c4601674ddd5fca3db0486d927db
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Give that a whirl and let me know what you think.

Regards,
Kyle

PS One note on WINDOWS forwarders. During installation, the wizard asks you to enter Deployment Server and Receiving Indexer FQDNs or IPs. LEAVE THEM BLANK.
The .spl package will configure your receiving indexer(s) for you, and unless you have an on premise DS, then leave it blank. Else, your data will never show up and you will be unhappy.

View solution in original post

delzinga
New Member

Wow, the confusion and major lack of user friendly install directions is terrible. I considered using Splunk, but I've spent more time trying to install/configure for this Sandbox that it's no longer worth my time.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Now with the new version of Splunk, you can get your Forwarder Configuration app right from the GUI. It contains all the settings to setup security and tell the forwarder where to send your machine data.

From the Launcher app (default landing page)

Look on the left of the screen and click the forwarder app

alt text

From there you will download your forwarder config app.

alt text

Follow the instructions and you are good to go.

Inside there are a bunch of files, but notice the outputs.conf, and see the server= setting on the line below. So you aren’t using the same FQDN as you use for the UI.

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-blah.cloud.splunk.com:9997
sslCommonNameToCheck = blah.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = fdf1c4601674ddd5fca3db0486d927db
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true
useACK = true

Give that a whirl and let me know what you think.

Regards,
Kyle

PS One note on WINDOWS forwarders. During installation, the wizard asks you to enter Deployment Server and Receiving Indexer FQDNs or IPs. LEAVE THEM BLANK.
The .spl package will configure your receiving indexer(s) for you, and unless you have an on premise DS, then leave it blank. Else, your data will never show up and you will be unhappy.

avaikar
New Member

Doesnt seem to work for me.
This is what I see in the log:

04-03-2017 15:38:31.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:34.429 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:38:34.429 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=32.804 seconds.
04-03-2017 15:38:43.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:55.923 +0000 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
04-03-2017 15:38:57.482 +0000 ERROR TcpOutputFd - Connection to host=52.201.237.113:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
04-03-2017 15:39:07.441 +0000 WARN  HttpPubSubConnection - Unable to parse message from PubSubSvr: 
04-03-2017 15:39:07.442 +0000 INFO  HttpPubSubConnection - Could not obtain connection, will retry after=63.757 seconds.

I tried telnet to the IP & port, and that seems to go through.

Missed mentioning that this is on ubuntu.

The outputs.conf is:

[tcpout]
defaultGroup = splunkcloud

[tcpout:splunkcloud]
compressed = false
disabled = false
server = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com:9997
sslCommonNameToCheck = input-prd-p-h3z7wk2hxjrm.cloud.splunk.com
sslCertPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/client.pem
sslPassword = 8997f53906a6bc9140a895e78335143b
sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkclouduf/default/cacert.pem
sslVerifyServerCert = true

useACK = true

0 Karma

malkiz_walkme
Explorer

Does this also work on windows?
What are the commands I should run? (instead of the *nix paths)
How do I know if it worked?

Cuyose
Builder

Odd, this did nothing when I ran it. no output at all and none of my outputs.conf files were edited. there seem to be no actual windows commands in the docs.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

@Cuyose can make a diag and create a ticket and upload it? PM me at kyle@splunk.com the case # and we can take a look.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Yes, it works on Windows too. Just run the same splunk install app from the "C:Program Files\\splunkforwarder\\bin" directory (or wherever %SPLUNK_HOME%\\bin lives.

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

note this app took out the backslashes, but you should not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...