Getting Data In

Why am I unable to create a Windows event log input and get error "No forwarders configured as deployment clients to this instance"?

jjclements
Engager

I have installed a universal forwarder on a Windows server, choosing to forward some of the Windows event logs, and then installed the credentials using the following command:

C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe install app C:\splunkclouduf.spl -auth admin:changeme

I then received a message in my instance that stated "splunk received event for unconfigured/disabled/deleted index=‘wineventlog’" so I created an appropriate index named wineventlog.

However, I am sill unable to create a 'Data Input' for 'Windows Event Logs', I always receive the message "There are currently no forwarders configured as deployment clients to this instance". I'm not sure why this is, as clearly the universal forwarder on my server is sending data to my Splunk cloud instance, otherwise I would never have received the message regarding the missing index.

I have found the majority of the Splunk documentation to be very outdated, many dead links to documentation that no longer exists or has been moved, screenshots that no longer match either the universal forwarder installer OR the Splunk Cloud interface. I'm probably missing something really silly here, I've read over lots of previous questions stating that something is missing from outputs.conf or there may be a missing deploymentclient.conf file. I have tried running:

splunk.exe set deploy-poll

and recieved:

In handler 'deploymentclient': No configuration change made.

This is a standalone Splunk Cloud instance. I am still unable to create a 'Data Input' for 'Windows Event Logs', although I can now see that there is data in the wineventlog index I created earlier (although I can't search it).

Thanks in advance,

James

1 Solution

gneumann_splunk
Splunk Employee
Splunk Employee

Hi James,

I’m the Spunk Light technical writer, and I wrote detailed steps for the deploy-poll command. Try the steps below as it should solve your issue. Disregard the reference to Spunk Light, as it should work the same for Spunk Cloud. I’m not sure what your management port is, but the default is 8089.

Did you install the universal forwarder using the CLI, or using the installation wizard? Typically, the installation wizard has a configure as a Deployment Server screen that should configure this deploy-poll command for you.

Try this:
———————————————
Configure the universal forwarder to be a deployment client

Configure the universal forwarder to be a ''deployment client''. This allows you to configure data inputs on the universal forwarder from the Splunk Light cloud service, which is also the ''deployment server''.

a. Register the universal forwarder as a deployment client of the Splunk Light cloud service. From $SPLUNK_HOME\bin, enter the following command:

.\splunk set deploy-poll input-Splunk Light cloud service hostname:mgmtPort

  • Splunk Light cloud service hostname is the cloud instance URL, less https://, such as ''instance.cloud.splunk.com'' or ''abc-d-12abcdefghij.cloud.splunk.com'', and prepended with ''input-''
  • mgmtPort default is 8089

For example, .\splunk set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089

b. Restart the universal forwarder.
This can take up to 15 minutes as the Splunk Light cloud service updates.

———————————————
If these steps do not solve your issue, let me know and I can talk to the other technical writers to help get you the correct information.
Thanks!
Gayle Neumann
Senior Technical Writer

View solution in original post

gneumann_splunk
Splunk Employee
Splunk Employee

Hi James,

I’m the Spunk Light technical writer, and I wrote detailed steps for the deploy-poll command. Try the steps below as it should solve your issue. Disregard the reference to Spunk Light, as it should work the same for Spunk Cloud. I’m not sure what your management port is, but the default is 8089.

Did you install the universal forwarder using the CLI, or using the installation wizard? Typically, the installation wizard has a configure as a Deployment Server screen that should configure this deploy-poll command for you.

Try this:
———————————————
Configure the universal forwarder to be a deployment client

Configure the universal forwarder to be a ''deployment client''. This allows you to configure data inputs on the universal forwarder from the Splunk Light cloud service, which is also the ''deployment server''.

a. Register the universal forwarder as a deployment client of the Splunk Light cloud service. From $SPLUNK_HOME\bin, enter the following command:

.\splunk set deploy-poll input-Splunk Light cloud service hostname:mgmtPort

  • Splunk Light cloud service hostname is the cloud instance URL, less https://, such as ''instance.cloud.splunk.com'' or ''abc-d-12abcdefghij.cloud.splunk.com'', and prepended with ''input-''
  • mgmtPort default is 8089

For example, .\splunk set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089

b. Restart the universal forwarder.
This can take up to 15 minutes as the Splunk Light cloud service updates.

———————————————
If these steps do not solve your issue, let me know and I can talk to the other technical writers to help get you the correct information.
Thanks!
Gayle Neumann
Senior Technical Writer

skear
Engager

This solved my issue as well. As someone who just started a Splunk cloud trial I found it very frustrating that this step isn't mentioned anywhere in the initial setup documentation.

Honestly why is this manual step even necessary? It seems like the installer should be able to take care of this.

As James mentioned, I'm finding the documentation to be very outdated and full of links to old information.

0 Karma

jjclements
Engager

Hi Gayle,

Thanks so much for your answer! I can confirm that running the following command does indeed fix the issue for me:

splunk.exe set deploy-poll input-abc-d-12abcdefghij.cloud.splunk.com:8089

I did install the universal forwarder using the installation wizard, and I did see the 'Deployment Server' screen. However I think the wording on that screen threw me a little. It wasn't clear to me that I had to enter my Splunk instance details in order to configure the universal forwarder to actually be a ''deployment client''. I may have even tried to enter my instance details, but missed off the 'input-' part of the URL. Again, I couldn't see any specific instructions in the documentation for this, and I may have incorrectly assumed that this would be handled as part of installing the credentials (splunkclouduf.spl), as after performing this step I checked the configuration files and could see what I thought were the correct URL's in the correct places in these files.

Thanks so much for your help, much appreciated!

James

gneumann_splunk
Splunk Employee
Splunk Employee

Great James! So glad this info worked for you!

I will pass along your input to product management and the documentation team, as we are working on updates to the universal forwarder installers and documentation to make sure the situation you ran into doesn't happen.

All the best...and happy Splunking!
Gayle

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...