Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Do we have to edit input or output of C:\Program Files\Splunk\etc\system\local in windows machine also if we want to access the log of a linux machine which already have UF installed?

anshuman19
Explorer
‎01-08-2018 09:52 PM

I have splunk enterprise installed in window and I want to access the log of Linux machine which have UF installed but the input and output.conf is not touched so to access the log do we have to edit the input or output file of windows?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:12 AM

hey @anshuman19

1) You do not need to edit inputs or outputs of windows
2) you need to configure UF which is on linux
http://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/Configuretheuniversalforwarder
3) You need to enable configure receiving on windows splunk indexer. Settings>Forwarding and Receiving>Configure Receiving>9997
4) You need to edit splunkforwarder/etc/system/local/inputs.conf to forward data to splunk windows machine.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectorieswithinputs.conf

Search for you data in splunk :)ENJOY Splunking

I hope this helps you!

View solution in original post

Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-09-2018 08:12 AM

hey @anshuman19

1) You do not need to edit inputs or outputs of windows
2) you need to configure UF which is on linux
http://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/Configuretheuniversalforwarder
3) You need to enable configure receiving on windows splunk indexer. Settings>Forwarding and Receiving>Configure Receiving>9997
4) You need to edit splunkforwarder/etc/system/local/inputs.conf to forward data to splunk windows machine.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectorieswithinputs.conf

Search for you data in splunk :)ENJOY Splunking

I hope this helps you!

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-09-2018 04:57 AM

Hi anshuman19,
To receive logs from a Forwarder see https://docs.splunk.com/Documentation/Splunk/7.0.1/Data/WhatSplunkcanmonitor

Anyway you need, on forwarder, to edit:

  • outputs.conf to address the correct indexer to send data,
  • inputs.conf to find the logs to index.

On Indexer you have only to enable logs receiving [Settings - Forwarding and Receiving -- Configure Receiving].

In this way, in your Windows Splunk server you can see the Linux logs.

To ingest logs, I suggest to use a Technical Add-On that you can find in apps.splunk.com.

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

anshuman19
Explorer
‎01-10-2018 09:32 PM

Hi Giuseppe
I Have no clue about Technical Add-On but I downloaded and placed in my forwarder directory, can you tell me what next I have to do to ingest logs

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-11-2018 04:00 AM

Hi anshuman19,
you have to:

  • download TA from splunkbase,
  • open inputs.conf and enable stanzas you want (disabled=false),
  • copy TA in forwarder's $SPLUNK_HOME\etc\apps,
  • restart Splunk on Forwarder.

Anyway read TA's instructions.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...