hi i am new to splunk and am testing how the splunk system works. I tried installing the windows app for splunk on my windows 7 PC and the universal forwarder and window TA app on another window server 2008 PC and am able to get and display the data. I installed the Linux App on my windows 7 PC and the Universal forwarder and Linux TA on a Ubuntu but am not able to display the data on my windows 7.
I did:
1)setup receiving on my windows 7 on port 9997
2)Copy the inputs.conf file from the /opt/splunkforwarder/etc/app/SplunkTAnix/default to the /SplunkTAnix/local file
3)have output.conf file at /opt/splunkforwarder/etc/system/local with
[tcpout]
defaultGroup=syslog_index
disabled = false
[tcpout:syslog_index]
server=(my ip address):9997
4) inputs.conf file at /opt/splunkforwarder/etc/system/local with
[default]
host = mysender.local
5) did check the connection using the list forward-server and there is a active connection with the ip and port that i input on my output.conf file
Any help is appreciated thx
It sounds like you've verified your connectivity between the forwarder and the indexer (windows 7 PC). The next step is to verify the inputs on the forwarders themselves. As I recall, the Unix TA (for the Ubuntu box) doesn't have any of its inputs enabled out of the box. You'd have to pick and choose the ones you want enabled. Note that changes to inputs.conf require restarting the forwarder, so you'll have to do that on the Ubuntu box before you'll see log data in the indexer.
i checked it the size is 1
It sounds like you've verified your connectivity between the forwarder and the indexer (windows 7 PC). The next step is to verify the inputs on the forwarders themselves. As I recall, the Unix TA (for the Ubuntu box) doesn't have any of its inputs enabled out of the box. You'd have to pick and choose the ones you want enabled. Note that changes to inputs.conf require restarting the forwarder, so you'll have to do that on the Ubuntu box before you'll see log data in the indexer.
Thanks for the help by default the input.conf is all disabled = 1 so after setting it to 0 it works.
First lets make sure you have data.
On your Splunk Indexer, check for data in the OS index.
Manager > Indexes
Look for the OS index and verify that the size and event count are greater than zero.