Getting Data In

Files not indexed on new installation.

damian_ingenie_
New Member

I've followed the documentation best i can to create an instance of splunk enterprise on one windows server
Then added port 9997 as a receiving datat port on this admin page "http://localhost:8000/en-US/manager/search/data/inputs/tcp/cooked"

Then on a different server I've installed a universal forwarder. then added c:\logs as a monitor folder using the CLI command .\splunk.exe add monitor c:\logs
The confirmation "Added monitor of 'c:\logs'." was displayed.

After doing all this the logs still don't appear in the splunk web interface! Is there a log i can look in to see if the files in the logs folder are getting sent or if there is an error? i'm not sure what i'm missing now.

all running on windows 2012 R2 64bit

cheers
Damo

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi,

Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi,

Check step 5 in the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Setupforwardingandreceiving#Set_up_for... you have to tell the forwarder where to send the monitored data.

cheers, MuS

damian_ingenie_
New Member

Thanks for the pointer, im looking into it now

i used the command line from powershell
cmd /c "msiexec.exe /i splunkforwarder-6.2.1-245427-x64-release.msi AGREETOLICENSE=Yes RECEIVING_INDEXER='simdc01:9997' MONITOR_PATH='c:\logs' PERFMON=cpu,memory,network,diskspace /quiet"
to install the forwarder

Is there a CLI command for telling the forwarder where to send the data?

0 Karma

MuS
SplunkTrust
SplunkTrust

Looks good to me. Can you connect from the forwarder to the indexer port 9997 any firewall between or routing problems? What does splunkd.log on the indexer and the forwarder report?

0 Karma

damian_ingenie_
New Member

Thanks for replying so quick. I've got the splunkd logs for both, what am i looking for exactly?

in the forwarder i can see:

TailingProcessor - Parsing configuration stanza: monitor://c:\logs.
...
TailingProcessor - Adding watch on path: c:\logs.

but i also see this
ERROR TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.
which i guess is what you are refering to in step 5.
Is there a CLI command for setting this up?
cheers
Damian

0 Karma

MuS
SplunkTrust
SplunkTrust

using the flag RECEIVING_INDEXER='simdc01:9997' should have taken care of the outputs.conf...
did you check any of the outputs.conf on your forwarder if the config is correct?

0 Karma

damian_ingenie_
New Member

none of the forwarders outputs.conf files contain that
Ive added a file at C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf with the following :
[tcpout]
RECEIVING_INDEXER='simdc01:9997'

ive restarted the service but still getting the error
TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf.

0 Karma

MuS
SplunkTrust
SplunkTrust

oh .. no, that's not correct. The option RECEIVING_INDEXER is only used on the CLI. Use this instead in your outputs.conf:

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = simdc01:9997
autoLB = true

use it this way, because you can add another indexer very easy and have load balancing between them.

damian_ingenie_
New Member

Brilliant, now getting the message

TcpOutputProc - Connected to idx=10.181.230.238:9997

And seeing a test log file in the splunk UI
Thanks
Only question left is how do i automate what i just did?
I think the only CLI command i need is the one to configure tcpout is this what you were refering to with the RECEIVING_INDEXER='simdc01:9997' comment earlier

0 Karma

MuS
SplunkTrust
SplunkTrust

Take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/DeployaWindowsdfviathecommandline you can find some examples in there. Feel free to accept this as answered - you will get some karma too 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...