Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why my sourcetypes under universal forwarder not showing up in Splunk GUI?

ibob0304
Communicator
‎06-09-2017 03:13 PM

We have a windows forwarder running on vm02, and forwarding data to vm01 which is the main Splunk Enterprise.

we configured the inputs and props.conf in the vm02 forwarder level, so far we are able to search the events in vm01, coming from the vm02. But when we go to sourcetypes or inputs link in the vm01 GUI. We dont see any sourcetypes or inputs that are configured at forwarder level. But we are able to search the events using the forwarder sourcetypes in the vm01.

How to make vm01 GUI to show the vm02 sourcetypes and inputs ?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-09-2017 04:29 PM

Hi ibob0304!

In order for configurations on a forwarder to be seen on another solunk instance, you would need to put the config files on said instance (in this case vm01.

The best way to handle management of configurations is through apps, or in this case, what would be referred to as a technical add-on (TA).

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Whatsanapp

Beyond the nomenclature, an "app" is simply a directory containing configuration files.

In this case, simply copy the props.conf to vm01 under $SPLUNK_HOME/etc/apps//local

This will take you into various Splunk adventures, including file precedence, so be sure to poke through the admin docs i posted above to get a primer on how to work with configs and apps!

- MattyMo
0 Karma
Reply

ibob0304
Communicator
‎06-09-2017 11:15 PM

If I keep the vm02 config files in the vm01 then splunk would assume and consider the vm02properties in vm01 isn't? For instance, I have a app called "product apps", and I brought the vm02 configs and kept along with vm01 configs under that app. So splunk will consider the config from the vm01 not from forwarder. so the data will be indexed directly from vm01 not from vm02. Sounds confusing

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-10-2017 07:28 AM

I recommend you take a look at our documentation regarding how indexing works.

http://docs.splunk.com/Documentation/Splunk/6.6.1/Indexer/Howindexingworks

When you deploy configurations in a distributed environment, you need to provide the forwarder and the indexers with configurations for your sourcetypes to account for different parts of the indexing pipeline.

The short answer to your concerns is...no, you will not "override" the forwarder configurations.

Both the vms will work in concert to do their part of the task.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...