Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarder data not shown in results

nmythily
New Member
‎07-01-2019 04:45 AM

Hi
I am using Splunk universal forwarder to receive data in Splunk enterprise but data is not shown in the search result.

Splunk Enterprise and universal forwarder are in the same server.
Created index and assigned to the admin role. Set the port for listening in the receiver.
Below are the configuration details:

/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup=sp_index

[tcpout:sp_index]
server=10.100.103.209:9997

[tcpout-server://10.100.103.209:9997]

./splunk add forward-server 10.100.103.209:9997
./splunk add monitor "/var/www/spdev_mythily_data/test_data/*" -index sp_index -sourcetype _json -host 10.100.103.209

Thanks,
Mythily

0 Karma
Reply

woodcock
Esteemed Legend
‎07-01-2019 08:38 AM

If your forwarder is your Indexer, then there is no need to install the UF (in fact, as you are realizing, it may not work correctly out of the box); just install Splunk because the full version has everything that the UF has and more. If you must do it this way (for example, for learning or testing), then start completely over and when you are issuing commands to the forwarder, use /opt/splunkforwarder/... and only use /opt/splunk/... when sending commands to the Indexer/Search-Head. So at a minimum, you should change to this:

/opt/splunkforwarder/bin/splunk add forward-server 10.100.103.209:9997
/opt/splunkrorwader/bin/splunk add monitor "/var/www/spdev_mythily_data/test_data/*" -index sp_index -sourcetype
0 Karma
Reply

FrankVl
Ultra Champion
‎07-01-2019 05:29 AM

So, what troubleshooting have you done already?

Have you restarted both instances after performing these configurations?

Have you confirmed your Enterprise instance is listening on TCP 9997 (e.g. using netstat)? Have you checked that instance's splunkd.log for errors/warnings?

Have you checked your UF for errors/warnings in the splunkd.log? Both about the input as well as the output?

Have you ran a search over All Time, to ensure you're not missing the data because it has been misplaced on the timeline due to incorrect timestamp extraction?

What is the purpose of having UF and Enterprise on the same machine? Why not configure the input in the enterprise instance itself (to prevent confusion and perhaps conflicting ports).

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2019 05:23 AM

Don't run Splunk Enterprise and Universal Forwarder on the same server. It's not necessary. Splunk Enterprise can do everything a Universal Forwarder can do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...