I followed the the whole documentation but I got one problem. I didn´t get any log files in my splunk indexer. I built a test environment with two Windows Server 2008 R2:
Server A (Monitored client with the splunk forwarder IP 172.28.28.27)
Windows Server B (runs Splunk enterprise with indexer, deployment server (sendtoindexer app, splunk Add-on for Windows) IP 172.28.28.28)
But I didn´t get any logfiles. My setup looks like this:
The configured forwarder
http://www0.xup.in/exec/ximg.php?fid=10607561
the sendtoindexer app
http://www0.xup.in/exec/ximg.php?fid=41677695
the windows app
http://www0.xup.in/exec/ximg.php?fid=20050979
The Forward Management on splunk enterprise
http://www0.xup.in/exec/ximg.php?fid=16913503
http://www0.xup.in/exec/ximg.php?fid=34496890
http://www0.xup.in/exec/ximg.php?fid=16003466
My searchhed shows always: Waiting for input.
Can anyone help me?
Thanks a lot
This is my splunkd.log
10-09-2015 10:49:47.582 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690
10-09-2015 10:49:47.582 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690
10-09-2015 10:50:47.595 +0200 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_172.28.28.27_8089_WIN-S341BFF7Q2O_WIN-S341BFF7Q2O_1581A9B3-BC5F-4A64-B9E2-59D58027B690
This is on the forwarders or the indexer?
on the forwarder
Asking the most basic question: Did you actually configure inputs?
Edit: The Splunk_TA_windows inputs aren't actually enabled when you download them from SplunkBase.
yes 😃 I changed the values from 1 to 0
Hi cschmit1,
Looks like your setup is correct…so this seems like a connectivity issue. Possibly Windows Firewall.
Check splunkd.log
on the forwarder. Does it attempt to connect to the indexer at 172.28.28.28?
Add the telnet
capability to your forwarder and attempt to connect to the instance that way:
telnet 172.28.28.28 9997
If that works, then we can troubleshoot what is going on with the forwarder.
telnet on this port didn´t work neiter.
Both windows firewalls were deactivated.
netstat -an
shows Local Adress 172.28.28.28:9997 | Foreign Adress 172.28.28.27:61024 | Established
Ok, so did telnet fail with a connection refused
or a connection timed out
? If the former, that might be expected because communication has already occurred on those ports, though I do believe that multiple inbound connections are acceptable. If it's a timeout, then some sort of network barrier or break exists between your forwarder and your indexer.
It looks like your forwarder did make a connection to the indexer, so we need to see why it's not sending the data. Let's take a look at splunkd.log on the forwarder and see what the connection conversation looks like. You'd be looking for attempts from the forwarder to hit the indexer. If you don't mind, you can paste that conversation here.
wehere can I find the splunkd.log on the forwareder?
They are in C:\Program Files\SplunkUniversalForwarder\var\log\splunk
.