- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to forward data to a Splunk Free li...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to forward data to a Splunk Free license?
I am trying to forward logs from a linux server to a Splunk Free indexer instance.
I know my forwarder is set up correctly because I can forward data to a fully licensed splunk indexer OK.
But when I switch the target server to the free license indexer i don't receive anything.
Q: Is it possible to use universal forwarder to send data to a splunk free indexer ( not a trial license)?
I have seen a good few answers but they all talk about forwarding FROM Splunk free not forwarding TO splunk free.
I have seen the "MoreaboutSplunkFree" page
http://docs.splunk.com/Documentation/Splunk/latest/Admin/MoreaboutSplunkFree
but again restrictions seem to be about about forwarding from not to Splunk free.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
nickhillscpl : Yes I have configured Receiver, Yes I opened port 9997 on firewall for TCP ( should it be udp?)
No I have not configured any this special on indexer. on the tutorial video there is no mention of setting indexer.
Where could I find this?
HiroshiSatoh : I only access data from search head. When i click on "data summary" I can see other host I used in the past but I cannot see the ip of forwarding server. this is available on the fulled licensed server.
Is there some log on the Forwarding server I could look telling me "cannot contact indexer because..."?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Distributed configuration is not possible with the free version. Can you search on the indexer's server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the reason?
Data is transferred to the indexer, but it can not be retrieved from the search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk "free" there is no search head/indexer - Its a single box deployment only...
Although... that raises a good question if you were on Ent Trial, and had previously configured distributed search before the lic reverted to free
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to do this - as you correctly state, the free version limits your ability to configure a distributed environment (hence From).
There are no restrictions using a UF to send data to a system running the free licence.
Silly questions therefore follow:
Have you configured receiving ports?
Indexes?
Firewalls?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try searching for: index=_internal host=<your missing host name>
Although I suspect that it may come back empty!
Then take a look at the /opt/splunkforwarder/var/log/splunk/splunkd.log file - Look for any connection attempts specifically to port 9997. (yes it is normally TCP)
How did you configure your forwarder?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
