Try this

khourihan_splun · ‎07-24-2014

How do you send data from a forwarder into a Splunk Cloud Sandbox trial environment?

khourihan_splun · ‎07-24-2014

Note as for Jan 31 this is no longer valid.

Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...

You can send data into your Splunk Cloud via forwarder by doing the following:

From the Splunk UI, login as Admin
Under Settings » Forwarding and receiving, Enable port 9997 from Splunk's UI in your Sandbox instance
On your forwarder, you set the outputs to input-.splunk6.splunktrial.com

for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf

[tcpout]
defaultGroup = sandbox

[tcpout:sandbox]
server =  input-khourihan-sje-0.splunk6.splunktrial.com:9997

You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.

Then, if you haven't done so already, configure your inputs.
Restart your Splunk on your forwarder

More references:

https://www.splunk.com/view/SP-CAAAM3U

I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.

View solution in original post

declanshanaghy · ‎01-08-2015

This process has been greatly simplified in recent weeks.
You can now download an app which you can install into a universal forwarder from the sandbox instance itself.

After logging into your instance, click on the "Universal Forwarder" app from the launcher page.
From the subsequent page you can download the app and follow the instructions to install it into a universal forwarder.

Also,
The answers given above were valid at the time of writing but recently we secured all data inputs with a unique SSL certificate and key for each instance so you cannot just manually add the config files and make it work anymore. You have to download the universal forwarder app which has the required credentials embedded.

yannK · ‎01-14-2015

If you switch to the preconfigured forwarder app, you should remove all the manual forwarding you may have done before (like the outputs.conf in $SPLUNK_HOME/etc/system/local).

Remarks :
- no need to setup the forwarding using the installer option on windows (skip the step), or the Command line and install options.
- You still need to create inputs for your events, but can look at the data in index=_internal and splunkd.log to check.

khourihan_splun · ‎07-24-2014

Note as for Jan 31 this is no longer valid.

Use this instead: http://answers.splunk.com/answers/214420/how-do-i-setup-a-splunk-cloud-trial-sandbox-forwar.html#ans...

You can send data into your Splunk Cloud via forwarder by doing the following:

From the Splunk UI, login as Admin
Under Settings » Forwarding and receiving, Enable port 9997 from Splunk's UI in your Sandbox instance
On your forwarder, you set the outputs to input-.splunk6.splunktrial.com

for example I used in my outputs.conf file /opt/splunkforwarder/etc/apps/system/local/outputs.conf

[tcpout]
defaultGroup = sandbox

[tcpout:sandbox]
server =  input-khourihan-sje-0.splunk6.splunktrial.com:9997

You can find your instance name by going to https://www.splunk.com/getsplunk/cloudtrial and logging into Splunk.com. You can see your Sandbox name there.

Then, if you haven't done so already, configure your inputs.
Restart your Splunk on your forwarder

More references:

https://www.splunk.com/view/SP-CAAAM3U

I already have a Splunk instance or a
Splunk forwarder. How can I send data
from my existing Splunk instance to my
Splunk Online Sandbox? You can send
data from a Splunk forwarder to your
Splunk Online Sandbox using the domain
name for your sandbox's Splunk Web. To
send data directly to your Splunk
Online Sandbox, prefix the domain name
with "input-". For example, if the url
for your Splunk Online Sandbox is
https://username.splunktrial.com,
forward your data to
input-username.splunktrial.com.

khourihan_splun · ‎08-06-2014

Hi Raghu,

If I read your server name correctly (and note everyone else can see it)

Try this

[tcpout]
defaultGroup = default-autolb-group,sandbox

[tcpout:default-autolb-group]
disabled = false
server = cdcxvt0765.conway.prod.con-way.com:9997

[tcpout:sandbox]
disabled = false
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997

raghunand · ‎08-06-2014

Thanks for giving setting and sorry about the font, it was unintentional 🙂

I tried the settings and still no result.

Q - for
[tcpout:splunk_cloud]
disabled = false
server = ?
Did you get the server name from "Splunk server name" in the general settings ?

Raghu

khourihan_splun · ‎08-05-2014

@Raghu,

Try following this format: (use a comma not two entries)

[tcpout]
defaultGroup = splunk_cloud,sandbox

[tcpout:splunk_cloud]
disabled = false
server = i1.blah.splunkcloud.com:9997,i2.blah.splunkcloud.com:9997,i3.blah.splunkcloud.com:9997

[tcpout:sandbox]
disabled = false
server = input-khourihansplunk-blah.splunk6.splunktrial.com:9997

PS those fonts you used are awesome!

raghunand · ‎08-05-2014

ok then thats exactly the one I had changed. But it did not work

[satibsvc@cdcxvt0765 local]$ cat outputs.conf
[tcpout]

defaultGroup = default-autolb-group

defaultGroup = sandbox

[tcpout:default-autolb-group]

server = cdcxvt0765.conway.prod.con-way.com:9997

[tcpout-server://cdcxvt0765.conway.prod.con-way.com:9997]

[tcpout:sandbox]
server = input-XXXXXXXXX.splunk6.splunktrial.com:9997
[satibsvc@cdcxvt0765 local]$ pwd
/opt/eicoe/splunkforwarder/etc/system/local
[satibsvc@cdcxvt0765 local]$

khourihan_splun · ‎08-05-2014

@Raghu, you make the modification to ./splunkforwarder/etc/system/local/outputs.conf

afterwards don't forget to restart your forwarder.

raghunand · ‎08-05-2014

OR
Can I change a different output.conf. Other output.conf available are

./splunk/etc/modules/distributedDeployment/classes/deployable/outputs.conf
./splunk/etc/system/default/outputs.conf
./splunk/etc/apps/SplunkLightForwarder/default/outputs.conf
./splunk/etc/apps/SplunkForwarder/default/outputs.conf
./splunkforwarder/etc/system/local/outputs.conf
./splunkforwarder/etc/system/default/outputs.conf
./splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf

OR
something else ??

Please advice ?

Raghu

raghunand · ‎08-05-2014

When I installed the splunk forwarder in Unix I did not see the folder local under /opt/splunkforwarder/etc/apps/search/
So does this mean I have the wrong install? I installed splunkforwarder-6.1.2-213098-Linux-x86_64.gz
OR
Does does this mean I missed a configuration step?

gkanapathy · ‎07-24-2014

edited the answer for you

gkanapathy · ‎07-24-2014

The hostname in your forwarder outputs.conf file must be prefixed with input-, i.e., you take the sandbox web interface hostname and prefix input- to the front, e.g., your example about should use input-khourihan-sje-0.splunk6.splunktrial.com:9997 instead of khourihan-sje-0.splunk6.splunktrial.com:9997.

How do I send my own data into a Splunk Cloud Sandbox Trial?

Try this

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = cdcxvt0765.conway.prod.con-way.com:9997

[tcpout-server://cdcxvt0765.conway.prod.con-way.com:9997]

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes