Getting Data In

How to configure a local Splunk Enterprise instance as both a forwarder and indexer?

sakarunanitk
Explorer

Hi,

I have installed Splunk Enterprise version locally and configured the below from Splunk Web.
1-forwarding host:port, (localhost:9997)
2-receiving port to match with the same port.(9997)
3- Data input to point to a directory (c:\data)

I don't see any data in search and reporting, even on adding files to the directory (c:\data)

Can I not use the same local instance as both a forwarder and indexer?

Thanks,
Saravana

0 Karma
1 Solution

somesoni2
Revered Legend

By default every Splunk instance can monitor the data locally (technically forwarder's functionality). Since you want to index the data locally and not to send/forward to any other indexer instance, you don't need to configure forwarding OR receiving. Just setup the data input and you should be good to go.

How are you configuring data inputs?? UI OR using inputs.conf?

View solution in original post

somesoni2
Revered Legend

By default every Splunk instance can monitor the data locally (technically forwarder's functionality). Since you want to index the data locally and not to send/forward to any other indexer instance, you don't need to configure forwarding OR receiving. Just setup the data input and you should be good to go.

How are you configuring data inputs?? UI OR using inputs.conf?

sakarunanitk
Explorer

Thanks a lot for the response. I am configuring using the UI. I added a directory in data input section and restarted splunk, but when i go to search and reporting section i dont see any data. Could you please let me know if i need to do any other configuration?

Thanks,
Saravana

0 Karma

somesoni2
Revered Legend

I would check few things
1) check if the data input is listed under data inputs and is in enabled state.
2) If you've access to the server, run following to see of the file that you posted has been monitored by Splunk OR not.
$SPLUNK_HOME/bin/splunk.exe list monitor

3) Since you added the data input from the UI, check if you're monitoring a file OR the directory (check in data input page). I'm guessing it would monitoring a specific file, so you would have to update the inputs.conf on the server to monitor the folder
4) check timestamp on the events in the file. and see if it's within the retention period of the index that you're using.

I might check the index/sourcetype being used in the search to see if it matches the values from data input

sakarunanitk
Explorer

Thanks for the response. On running listmonitor i get below entry.
Monitored Files:
$SPLUNK_HOME\etc\splunk.version
C:\SplunkDir
Please can you let me know where is inputs.conf and what to change it to make it a folder?

Thanks for your patience

0 Karma

sakarunanitk
Explorer

Below is my inputs. conf file present in
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf

[monitor://C:\SplunkDir]
disabled = false
whitelist = .
sourcetype = csv
index = test

0 Karma

sakarunanitk
Explorer

I figured out the problem. Thanks a lot for the assistance.

0 Karma

somesoni2
Revered Legend
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...