Refine your search:

Configuring forwarder and receiver

1

Hi There,

I'm very new to splunk and trying to do a POC on my laptop. I installed windows version of splunk and installed the splunk. I'm trying to configure the forwader and receiver to search the event logs on laptop.

For receivers I configured it via splunk web

Manager >> Forwarding and receiving >> Configuring receiving and gave the port as 9997

For forwaders Following files were modified $SPLUNK_HOME\etc\apps\SplunkLightForwarder\default\inputs.conf

Copy paste mistake, my inputs.conf file has the following info.

[monitor://C:\\Windows\\System32\\winevt\\Logs\\*.*]
_TCP_ROUTING = my_indexers

$SPLUNK_HOME\etc\system\local\outputs.conf

[tcpout]
defaultGroup=my_indexers

[tcpout:my_indexers]
compressed=false
server=localhost:9997

After above changes I restarted the splunkd and splunk web and tried the following in the search

index = my_indexers

which is returning nothing......

Did I miss any configurations? do I need to install any windows app for forwarders please advise, thank you very much.

asked 05 Oct '11, 12:00

Ferrari's gravatar image

Ferrari
113
accept rate: 0%

edited 05 Oct '11, 13:01

gkanapathy's gravatar image

gkanapathy ♦
32.3k4827
3 Answers:
oldestnewestmost voted
1

It seems like you're routing the data using the inputs.conf and then trying to search data on the wrong and probably non-existing index? It seems like my_indexers is your tcpout group name. Give this a try and comment let us know whether it works: - remove "_TCP_ROUTING = my_indexers" from your inputs file - put this instead: "index = main" or whatever index you want the data to go to.

link

answered 05 Oct '11, 22:55

_d_'s gravatar image

_d_
2.4k24
accept rate: 37%

thanks for responding....

This is what I did per you suggestions

[monitor://C:WindowsSystem32winevtLogs*.*]

index = main

and trying to search index = main and still fails. To give the complete picture I installed indexer, forwarder and receiver on the same machine i.e. my laptop and trying to forward event logs to the receiver and index it and ready for search and I'm failing there. but if I search like index="_audit" spluk is returning the results. I did not create that index.

(06 Oct '11, 06:52) Ferrari
0

The _audit is an index that gets created automatically and it is used internally by splunk. Try putting the the stanza in your $SPLUNK_HOME/etc/system/local/inputs.conf: [monitor://C:Windows/System32/winevt/Logs/] index = main disabled = false This should bring in all data under Logs dir. Don't forget to do a restart of splunk. Technically speaking, you dont need to forward local data to the localhost (like you're doing with outputs.conf) - your indexer instance can read/monitor files just fine :)

link

answered 06 Oct '11, 07:26

_d_'s gravatar image

_d_
2.4k24
accept rate: 37%

0

This worked and it took a while to load the data. Thanks gkanapathy for your assistance.

link

answered 07 Oct '11, 10:52

Ferrari's gravatar image

Ferrari
113
accept rate: 0%

edited 27 Oct '11, 08:19

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1

Asked: 05 Oct '11, 12:00

Seen: 1,030 times

Last updated: 27 Oct '11, 08:19

Related questions

Universal Forwarder Setup

Setting up Splunk receiver through TCP/IP

Splunk Forwarder and Receiver Problem

Splunk stops receiving the data from clients

Forwarding and Receiving

SSL between forwarder and receiver

Wrong fields on receiver instance

Troubleshooting forwarder -> indexer connection

forward data from a receiver

Copyright © 2005-2012 Splunk Inc. All rights reserved.