- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Newbie Universal forwarding. Is there a full examp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Newbie Universal forwarding. Is there a full example to forward a simple file or directory?
Dear Group:
Splunk Universal Forwarder 6.0 (build 182037)
I have my splunk indexer working on one machine "vm251.foo.com:8000".
I have installed universal forwarder on another machine "vm252.foo.com".
I have enabled receiving on "vm251" on port 9997.
I have enabled forwarding on vm252 as follows: sudo /opt/splunkforwarder/bin/splunk add forward-server vm251.foo.com:8000 -auth admin:mypwd
I can list my forwarding as follows: sudo /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
vm251.foo.com:8000
I have added a directory to monitor as follows:
sudo /opt/splunkforwarder/bin/splunk add monitor /var/log
I can list my monitors as follows: sudo /opt/splunkforwarder/bin/splunk list monitor and I see /var/log as a monitored directory.
PROBLEM: My forwarder does not seem to be forwarding anything. I have monitored port 9997 using tcpdump and see nothing. What am I doing wrong? I cannot find anything in the docs to help me. Maybe I am looking at the wrong docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear group ,
my remote splunkforwader is able to connect splunk server , but still i don't see any index details about that splunkforwader
plz help me out
details:
/opt/splunkforwarder/bin/splunk add monitor /home/rahul/logdata/log/reportslog/report.log.one.2015-06-10.gz -index reportlogfiles -sourcetype reportslog
Added monitor of '/home/rahul/logdata/log/reportslog/report.log.one.2015-06-10.gz'.
rahul@rahul-desktop:/opt/splunkforwarder/bin$ sudo /opt/splunkforwarder/bin/splunk list monitor
$SPLUNK_HOME/var/log/splunk/splunkd.log
/home/rahul/logdata/log/reportslog/report.log.one.2015-06-10.gz'
sudo /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
localhost:9997
Configured but inactive forwards:
None
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Group:
Of course as soon as I asked the question, I figured it out. Looks like I have to forward to port 9997 not 8000 and it started working. I assumed port 8000 would negotiate to 9997, but I was wrong.
I simply changed my forward to port 9997 all is good now.
Funny how writing out a question makes you see it in a different light. 🙂
Leo P.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
