Getting Data In

universal forwarder

sarah89
Path Finder

please I need help ,

I deployed a universal forward by following tutorial "distributed deployement manual"

The universal forward is in the machine configured like this:

inputs.conf
[default]
host = atelcom-62de949

[monitor://Documents and Settings\sarah\Bureau\splunk image]
disabled = false

output.conf

[tcpout]
defaultGroup = 192.168.0.45_9997
[tcpout:192.168.0.45_9997]
server = 192.168.0.45:9997
[tcpout-server://192.168.0.45:9997]

The Splunk instance (the indexer) is installed in a windows server 2008 virtual machine.
I enable the receiver but when i use the deployment monitor to see the forwarder and I don't find anything from it, it doesn't seem to be working.
Can you please tell me how to fix this?

Tags (1)

sarah89
Path Finder

i had to disable the firewalls of windows server 2008

sarah89
Path Finder

thk's a lot , i get it

0 Karma

Ayn
Legend

You should have a look at splunkd.log on the indexer to see what error messages you're getting. Ideas on possible problems: non-SSL connection to an SSL enabled listening port, mismatch on compression settings.

0 Karma

sarah89
Path Finder

splunk server :

Process= splunkd.exe
PID=1360
Protocol= TCP
Local address= lab2008
Local port =9997
Remote address= lab2008
Remote port=0
Stat= LISTENING

universal forwarder :

Process= splunkd.exe
PID=1332
Protocol= TCP
Local address= atelcom-62de949.ssg20-wlan
Local port =1215
Remote address= lab2008
Remote port=9997
Stat= etablished

0 Karma

Ayn
Legend

Can you connect to the indexer on port 9997 from the host you're running the Universal Forwarder on?

0 Karma

sarah89
Path Finder

hello alls

please can anyone help me , i'm stucking here , i couldn't figure it out

0 Karma

sarah89
Path Finder

tell me please , how the inputs.conf and outputs.conf of the indexer looks like ?

0 Karma

sarah89
Path Finder

i have only info and warm like this
04-08-2012 11:59:01.265 +0100 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

4-08-2012 12:01:25.781 +0100 WARN TcpOutputProc - Cooked connection to ip=192.168.0.45:9997 timed ou

0 Karma

MarioM
Motivator

check if any error in your Forwarder splunkd.log (splunkforwarder\var\log\splunk\)

0 Karma

sarah89
Path Finder

i still have the problem , please tell what i shoul do to fix this

0 Karma

sarah89
Path Finder

thk's i will try to add this to the path

0 Karma

sarah89
Path Finder

how can i see the splunkd.log around connections to the indexer

0 Karma

twkan
Splunk Employee
Splunk Employee

I am not sure if it's a typo error, but can you verify your file is outputs.conf and not output.conf like what you have mentioned?

0 Karma

sarah89
Path Finder

i checked it ,it outputs.conf not output.conf
it's was just a typo error

0 Karma

MHibbin
Influencer

Shouldn't the file path in the monitor stanza be absolute, i.e. include the disk. for example...

[monitor://C:\Documents and Settings\sarah\Bureau\splunk image]

Or whatever the location may be... I've always used the absolute path to be certain.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Could you provide some details around what you're seeing in Splunkd.log around connections to the indexer?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...