I have a universal forwarder installed on my Windows server. I am trying to send Event Logs with certain Event Types to the Indexer server. In addition to that, I am sending files stored in my server location to the indexer server. All these data need to be sent to a particular index within the indexer server. However, when I search the indexer with the Index name, I am not able to get any results.
inputs.conf from my Forwarder:
[default]
host = WIN2K3CPT
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Application]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = SourceName="^RC_ProcessInstAppService_Failure$"
whitelist1 = SourceName="^RC_ProductTransferService_Failure$"
whitelist2 = SourceName="^RC_MarketOfferProcessor_Failure$"
whitelist3 = EventType="Warning"
[monitor://F:\inetpub\wwwroot\T3Report]
disabled = 0
index=applogrc
sourcetype = srcapplogrc
whitelist = CMC\.txt|RC\.txt
props.conf from the Indexer server:
[srcapplogrc]
TRANSFORMS-index=sendtoapplogrc
transforms.conf from the indexer server:
[sendtoapplogrc]
REGEX=.
DEST_KEY = _MetaData:Index
FORMAT = applogrc
Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.
Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.
Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.
Finally, i removed your internal server names from your post for your own protection.
Hi, there's no need for the props and transforms in this case because you're specifying the index in the inputs.conf stanza.
Have you made sure that port 11070 is open from your machine to the other machine? Firewalls can block this connection, such as windows firewall, network firewalls, linux firewalls (iptables, apparmor), etc.
Also to be sure, the inputs and outputs .conf files should be on the universal forwarder, not the splunk indexer. You mentioned inputs.conf was on the UF but nothing about the location of outputs.conf. So I'm just checking to be sure.
Finally, i removed your internal server names from your post for your own protection.
Thanks Michael. The location of my outputs.conf is within the UF (etc/system/local) itself. Also, I did a telnet for the port 11070. Its open.
Is there anything specific that we need to configure within the Forwarder for it to actually start forwarding data? I am of the assumption that it starts sending the data automatically once the Output.conf is placed and Instance restarted.
That's all it takes so long as the account splunkd is running under has permissions to read the data you're looking for and then receiving is enabled on the indexers on that port.
@ppablo_splunk hey man, is there anyway we can delete/edit the comments the op made that contained his server names from the question history?
The terms index
and indexer
are different things. I see your configuration for sending to particular index
values but if you are trying to send some stuff to certain indexers
, we need to see your outputs.conf
.
Thanks. Here it is:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = server1.mydomain.com:11070
[tcpout-server://server1.mydomain.com:11070]
Note: All these conf files are in system\local folder. And I did try restarting the Splunk Instance post changes.