Getting Data In

App deploys from the Deployment Server, but why is the deployment client not sending any data?

puffycow
Explorer

So I am experiencing an oddity with Splunk and I am hoping it is just something I am overlooking.

I have an indexer that also acts as a deployment server (Linux) and I am using a test client (Windows). On the deployment server, I create two apps, Splunk_TA_windows and sendtoindexer. I created the inputs.conf in the local folder of the Splunk_TA_windows app:

[WinEventLog://Application]
disabled = 0
index = wineventlog

[WinEventLog://Security]
disabled = 0
index = wineventlog

[WinEventLog://System]
disabled = 0
index = wineventlog

And the outputs.conf in the local folder of the sendtoindexer app:

[tcpout]
disabled = false
defaultGroup = default-autolb-group

[tcpoutput:default-autolb-group]
server = hostname:9997

[tcpout-server://hostname:9997]

On Forwarder Management, I set the whitelists/blacklists so that the test machine is targeted to get both of these apps. When looking at the Server Class page, at the bottom under Clients, I see my test server and that under Deployed Apps I see 2, so that's good, but in the middle of that page under Apps, it shows both of my apps, and under the Clients column it shows 0 deployed for both.

Anyways, when checking the SplunkUniversalForwarder/etc/apps folder on the client machine I see both apps are deployed as expected. However, when I perform a search checking for either the hostname of the client or the index I set in the inputs.conf file, I do not get any results.

Any help would be appreciated. Let me know if anything I said didn't make sense or if more information would be useful.

1 Solution

puffycow
Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

View solution in original post

puffycow
Explorer

Well, I feel really silly now. In line 5 of my outputs.conf I have:

[tcpoutput:group]

And it should have been:

[tcpout:group]

Sigh. Sorry for the time I wasted!

mosman_splunk
Splunk Employee
Splunk Employee

make sure of the following
1- hostname is resolvable
2- 9997 ready on the receiving side (indexer OR HF or all in on)
3- make sure no firewall between the UF and the receiver (use telnet or nc to ensure that)
4- run /opt/splunk/bin/splunk btool outputs list --debug on HF
5- run /opt/splunk/bin/splunk btool inputs list --debug on receiver

make sure that step 4 and 5 give you what expected.

good luck

0 Karma

puffycow
Explorer

Thanks for the reply! 1-3 are definitely okay, I just checked. When running the btool on the forwarder I see the output.conf info from the sendtoindexer app so that seems good. When I run the btool on the receiver I see a lot of different inputs.conf entries from a lot of different apps, but theya re all located in the /etc/apps/* folder, none from the /etc/deployment-apps/ folder.

Could that be the issue? Or should my apps appear in both /apps/ and /deployment-apps/ ?

0 Karma

puffycow
Explorer

More info that may be pertinent...

On the client, the /etc/local has no outputs.conf and I am getting:

ERROR: TcpOutputProc  - LightWeightForwarder/UniversalForwarder no configured. Please configure outputs.conf.

... even though /etc/apps/sendtoindexer/local/outputs.conf exists.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...