I am trying to forward logs from a linux server to a Splunk Free indexer instance.
I know my forwarder is set up correctly because I can forward data to a fully licensed splunk indexer OK.
But when I switch the target server to the free license indexer i don't receive anything.
Q: Is it possible to use universal forwarder to send data to a splunk free indexer ( not a trial license)?
I have seen a good few answers but they all talk about forwarding FROM Splunk free not forwarding TO splunk free.
I have seen the "MoreaboutSplunkFree" page
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree
but again restrictions seem to be about about forwarding from not to Splunk free.
Thanks
nickhillscpl : Yes I have configured Receiver, Yes I opened port 9997 on firewall for TCP ( should it be udp?)
No I have not configured any this special on indexer. on the tutorial video there is no mention of setting indexer.
Where could I find this?
HiroshiSatoh : I only access data from search head. When i click on "data summary" I can see other host I used in the past but I cannot see the ip of forwarding server. this is available on the fulled licensed server.
Is there some log on the Forwarding server I could look telling me "cannot contact indexer because..."?
Distributed configuration is not possible with the free version. Can you search on the indexer's server?
What is the reason?
Data is transferred to the indexer, but it can not be retrieved from the search head.
In Splunk "free" there is no search head/indexer - Its a single box deployment only...
Although... that raises a good question if you were on Ent Trial, and had previously configured distributed search before the lic reverted to free
You should be able to do this - as you correctly state, the free version limits your ability to configure a distributed environment (hence From).
There are no restrictions using a UF to send data to a system running the free licence.
Silly questions therefore follow:
Have you configured receiving ports?
Indexes?
Firewalls?
try searching for: index=_internal host=<your missing host name>
Although I suspect that it may come back empty!
Then take a look at the /opt/splunkforwarder/var/log/splunk/splunkd.log
file - Look for any connection attempts specifically to port 9997. (yes it is normally TCP)
How did you configure your forwarder?