Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't manage the data that is getting forwarded to my Splunk Instance

ckunath
Communicator
‎04-25-2017 12:29 AM

Hello,

a forwarder has been set up to send data to my linux machine and I get the data, everything is fine so far.
The problem is, that the person who set up the forwarder did not specify the right source type, and for some reason I can't find the data input under "Data inputs" to edit it.
If I want to go to Add Data > Forward it tells me that "There are currently no forwarders configured as deployment clients to this instance."

Can anyone tell me how I can set up my splunk enterprise instance so that I can manage the inputs from the forwarder on my end?

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brreeves_splunk
Splunk Employee
Splunk Employee
‎04-25-2017 05:27 AM

@ckunath,

You'll need to find out what the inputs.conf file looks like on the actual forwarder so that you know what to put into the deployment app you'll create. Here's the basics: http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Aboutdeploymentserver

You'll tell the forwarder to look to the main instance using this splunk set deploy-poll command.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Configuredeploymentclients

Next, you'll create a deployment app that has an inputs.conf that you want the forwarder to follow.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Createdeploymentapps

And finally, you'll assign the app you created with the inputs.conf to the server class you created that includes the forwarder you mentioned.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Definedeploymentclasses

View solution in original post

Reply
Solved! Jump to solution
Solution

brreeves_splunk
Splunk Employee
Splunk Employee
‎04-25-2017 05:27 AM

@ckunath,

You'll need to find out what the inputs.conf file looks like on the actual forwarder so that you know what to put into the deployment app you'll create. Here's the basics: http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Aboutdeploymentserver

You'll tell the forwarder to look to the main instance using this splunk set deploy-poll command.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Configuredeploymentclients

Next, you'll create a deployment app that has an inputs.conf that you want the forwarder to follow.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Createdeploymentapps

And finally, you'll assign the app you created with the inputs.conf to the server class you created that includes the forwarder you mentioned.
http://docs.splunk.com/Documentation/Splunk/6.5.3/Updating/Definedeploymentclasses

Reply
Solved! Jump to solution

dineshraj9
Builder
‎04-25-2017 12:50 AM

You have to check the forwarder and find the inputs.conf file on the forwarder and modify it.
You can get the installation path by checking the directory of the forwarders internal log.

0 Karma
Reply
Solved! Jump to solution

brreeves_splunk
Splunk Employee
Splunk Employee
‎04-25-2017 05:27 AM

While they will need to find the inputs.conf on the forwarder, the question was "How do I manage it remotely?".

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...