How to define Splunk Server or Port number in unix...

sachinkum · ‎09-13-2012

Hi,

I am new at splunk and install splunk server on windows 2008 R2 std. and add the *.nix app successfully in server.
After install the splunkforwarder-4.3.4-136012.i386.rpm in one unix client machine and i where i need to define splunk server IP address or port number to send the data on splunk server?

regards
Sachin

sachinkum · ‎09-13-2012

I made the changes in /opt/splunkforwarder/etc/system/local/outputs.conf file only
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = 10.100.0.69:9997

Below is the error of splunkd.log file.

09-14-2012 11:25:56.706 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:08.706 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:20.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:20.707 +0530 INFO HttpPubSubConnection - Could not obtain connection, will retry after 60 seconds.
09-14-2012 11:26:21.158 +0530 INFO TcpOutputProc - Removing quarantine from idx=10.100.0.69:9997
09-14-2012 11:26:21.159 +0530 WARN TcpOutputFd - Connect to 10.100.0.69:9997 failed. Connection refused
09-14-2012 11:26:21.159 +0530 ERROR TcpOutputFd - Connection to host=10.100.0.69:9997 failed
09-14-2012 11:26:21.159 +0530 WARN TcpOutputProc - Applying quarantine to idx=10.100.0.69:9997 numberOfFailures=4
09-14-2012 11:26:32.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:44.707 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
09-14-2012 11:26:51.160 +0530 INFO TcpOutputProc - Removing quarantine from idx=10.100.0.69:9997
09-14-2012 11:26:51.161 +0530 WARN TcpOutputFd - Connect to 10.100.0.69:9997 failed. Connection refused
09-14-2012 11:26:51.161 +0530 ERROR TcpOutputFd - Connection to host=10.100.0.69:9997 failed
09-14-2012 11:26:51.161 +0530 WARN TcpOutputProc - Applying quarantine to idx=10.100.0.69:9997 numberOfFailures=5

Please let me know what should be the simple step to add unix machine in splunk server (which is running on windows 2008 r2 server)

Ayn · ‎09-20-2012

DNS problems? http://splunk-base.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer

Ayn · ‎09-20-2012

Could you please stop posting your comments as answers. Right now it looks like your question has been answered 8 times.

sachinkum · ‎09-20-2012

I am able to telnet 10.100.0.69:9997 server. there is not firewall issue becuase windows firewall is off.

Ayn · ‎09-20-2012

Connect to 10.100.0.69:9997 failed. Connection refused

You have a problem. Why is your indexer refusing connections? Firewall? Wrong IP?

sachinkum · ‎09-20-2012

Can any one help me on above query?

sachinkum · ‎09-19-2012

After configure the above setting my splunk server is not indexing data and getting helow error and also my splunk server is install Windows Server 2008 R2 Server.

Error:- skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block.

aholzer · ‎09-14-2012

A couple of points you can start off of:

1) Have you configured the inputs.conf on the indexer to listen at this port?
2) Have you opened up the port on your windows firewall on the indexer?
3) If you are planning on having your forwarder on your unix machine be a client of the deployment server on the indexer, you are going to want to match the management ports on both machines. And make sure that it's open on the firewall.

aholzer · ‎09-13-2012

In order to define what server to write to, you need to update the outputs.conf file under $SPLUNK_HOME/bin/etc/system/local. See: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

The basic definition should look like this:

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
server=mysplunk_indexer1:9997

Remember to check the port defined under the inputs.conf of the indexer and match it to the forwarder one (or vice-verse). More details on Indexer inputs.conf here: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#inputs.conf.example

Note that you need to define entries in the inputs.conf on your forwarder too. This is where you define what files you are going to monitor and send to the indexer. These links should help with this part:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Editinputs.conf

http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Specifyinputpathswithwildcards

Ayn · ‎09-13-2012

You can define the Splunk server and port through the CLI. This is covered in the docs section here: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployanixdfmanually

sachinkum · ‎09-13-2012

Please share me the file path where i need to add splunk server IP or port number?
The clinet machine is unix.

Ayn · ‎09-13-2012

Did you add any inputs on the forwarder?

sachinkum · ‎09-13-2012

I tried the given URL and added the server ip and port but no data is showing in splunk server.

How to define Splunk Server or Port number in unix machine

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!