How can I transfer logs of a sever to an indexer?

Utkarsh_Singh · ‎02-07-2018

I have created an index A for server X and I have done all the required setting in the inputs.conf file of server X. I have checked that logs are monitored by Splunk through "Splunk list monitor" command but logs are not reaching to index.
What can be done?

felipesewaybric · ‎02-07-2018

now you need to config your output.conf

first use this in your UF:

./splunk list forward-server
then
./splunk add forward-server :

and check if the port is open in your server

Utkarsh_Singh · ‎02-07-2018

Ports are open i have checked already

micahkemp · ‎02-07-2018

inputs.conf is only part of the solution. This documentation page steps you through enabling the receiver on the indexer and adding a forward server on the forwarder.

Utkarsh_Singh · ‎02-07-2018

i have done all the configuration still i am on same page.

felipesewaybric · ‎02-07-2018

i know it sounds dumb, but did you restart your forwarder? It appears as active with this command?
./splunk list forward-server

micahkemp · ‎02-07-2018

Please share your

indexes.conf on the indexer
inputs.conf on the indexer

inputs.conf on the forwarder
props.conf on the forwarder
outputs.conf on the forwarder

that you have put in place for this task.

How can I transfer logs of a sever to an indexer?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!