Getting Data In

Forwarding and Receiving

Yan_Yi_Goh
Explorer

Hi all,

I'm very new to Splunk and am doing it for a school project. I was tasked to forward data from a Forwarder to a Receiver. I've visited various parts of the documentations (e.g. Set up forwarding and receiving). Tried searching around for solutions but I'm still confused on what to do.

I'm using a Virtual Machine to receive data, and the normal PC's OS for forwarding data. What I have done is to install the Universal Forwarder to the PC, and the normal Splunk on the VM. I have also set up the receiver at the VM by going to Manager » Forwarding and receiving » Receive data and entered the port number: 9997.

Went to the PC -> $SPLUNK_HOME\etc\system\local\output.conf and already had this:

[tcpout]
defaultGroup = win-lcjuo9fhe9t_9997

[tcpout:win-lcjuo9fhe9t_9997]
server = win-lcjuo9fhe9t:9997

[tcpout-server://win-lcjuo9fhe9t:9997]

I then went to my PC's command line and used the command:

splunk add oneshot C:\Users\user\Desktop\fox.log

Went back to the VM (receiver) and enabled the Deployment Monitor app. It doesn't show that any forwarder has been trying to connect to it.

I'm still confused on how to get the fox.log file (which I created with a few lines of data) to forward it into the Splunk receiver (in the VM). Hope to get some help. Thank you!

Tags (2)
0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee
It is usually very simple setting for sending and receiving. I recommend to start it over to set it up, and try adding the file under the directory the file exisit and avoid using path to make it even simpler. 


 1. Make sure there is no firewall turned on in both PC
 2. Make sure you restarted the forwarder after configured it. 
 3. Just in case, restart the receiver, too
 4. At the forwarder, search "index=_internal source=*metrics.log* tcpout* " and make sure you see the ipaddress or host name of the receiver exists
 5. At the receiveer, search "index=_internal source=*metrics.log* tcpin* " and make sure you see the ipaddress or host name of the forwarder exists
 6. At the receiver, run search "index=* | stats count by source" and see if you can find the file path you just added as oneshot.
 7. Try IP address instead of hostname in outputs.conf if this does not work (Maybe NetBIOS is not resolved.)

View solution in original post

Masa
Splunk Employee
Splunk Employee
It is usually very simple setting for sending and receiving. I recommend to start it over to set it up, and try adding the file under the directory the file exisit and avoid using path to make it even simpler. 


 1. Make sure there is no firewall turned on in both PC
 2. Make sure you restarted the forwarder after configured it. 
 3. Just in case, restart the receiver, too
 4. At the forwarder, search "index=_internal source=*metrics.log* tcpout* " and make sure you see the ipaddress or host name of the receiver exists
 5. At the receiveer, search "index=_internal source=*metrics.log* tcpin* " and make sure you see the ipaddress or host name of the forwarder exists
 6. At the receiver, run search "index=* | stats count by source" and see if you can find the file path you just added as oneshot.
 7. Try IP address instead of hostname in outputs.conf if this does not work (Maybe NetBIOS is not resolved.)

Yan_Yi_Goh
Explorer

Hey @Masa, I managed to telnet over. Got it to work, and like you said, it's the firewall problem. Thanks a lot for the help!

0 Karma

Masa
Splunk Employee
Splunk Employee

Sadly, MS Windows removed telnet from default commands...

It's your choice to use UF/LWF/Heavy Forwarder. Either one should work.

0 Karma

Yan_Yi_Goh
Explorer

I've managed to ping another PC's IP address in the same network, and decided to change from working between a host PC and a VMWare. So right now, it's just between two PCs, both running Windows 7. I'm not sure how to telnet, even after searching on Google, the

> telnet xx.xx.xx.xx 9997

command doesn't seem to work on my command prompt. I went on to use the 'ping' command in the command prompt, and managed to ping the new PC.

Another quick question: Do I need to use the Universal Forwarder or the Light/Heavy Forwarder?

0 Karma

Masa
Splunk Employee
Splunk Employee

You can check if there is connection between the PCs by telnet.


telnet 9997

Yan_Yi_Goh
Explorer

Where do I put the fox.log file? I went to the receiver to check using your search statement, but nope, it doesn't show the file path of the log file I added as oneshot.

I tried putting the IP Address, but it doesn't work also. There's probably something wrong with using a PC host connecting to the VMWare.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...