Forums: SplunkAdministration: SplunkLightForwarder

Hi

Complete newbie to splunk.

I have looked through the admin doc and followed the instructions to set up SplunkLightForwarder but it completely fails - when I restart splunk , the splunkweb still comes up and nothing seems to have changed.

One other thing is at the moment in dev I have access to the console and can get to the GUI but in production I won't have access to the GUI.

So is there a dedicated start to finish procedure for setting up SLF from the CLI with no interaction with the GUI at all and how/what to check if it has worked?

I am running one VM with two separate instances of splunk v 4.06 on Linux RH4.

I tried copying the SplunkLightForwarder//default/ files into the /local/ dir and modified the outputs.conf and inputs.conf for my servers but it still starts up with splunkweb etc???

Any help greatly appreciated.

Cheers.

Can you provide the contents of your outputs & inputs.conf?

Are you deploying the forwarder or you just enabling via command line?

If you are not deploying it, just want to enable the forwarder, run the command:
./splunk enable app SplunkLightForwarder -auth <username>:<password>

Hi
Thanks for getting back to me.

I think the penny is starting to drop - am I correct in thinking that after untarring the binaries onto the target I don't do a ./splunk start to start the whole thing but just the ./splunk enable app SplunkLightForwarder -auth <username>:<password> from the outset?

If that's correct and I think it is then brilliant as I was worried about having the whole install on the prod servers.

Something else I have been trying to work out as well is how to verify the data on the receiver. I can see the port is listening after adding the data input port but how do I use the data on that port? Do I need a dedicated application to make any use of it or can I add it to it's own index etc?

Apologies if these are stupid questions but I can't see any doc on mapping the data from the forwarder to anything.

This is what I added to the local/inputs.conf

[monitor:///apache/.../logs]
_TCP_ROUTING = *

This is the outputs.conf

[tcpout]
maxQueueSize = 1000
defaultGroup = apache_log
disabled = false
indexAndForward = true
[tcpout:apache_log]
disabled = false
server = 10.2.18.83:9997
sendCookedData = false

Cheers

OK the penny dropped and rolled away..you do need to have the whole thing started and then run the ./splunk enable app SplunkLightForwarder -auth <username>:<password>

To answer your question I would like to just deploy the SplunkLightforwarder if possible.

The situation I am in is I have a lot of servers dotted round the infrastructure and I want to just deploy the SplunkLightForwarder on them to forward to a central indexer.

Cheers

You start it, run the "enable" command, then restart it, yes. There are other ways if you are running Splunk Enterprise, you can use the deployment server to enable the light forwarder, for example.

Also, this should be helpful: http://www.splunk.com/base/Deploy:SplunkForwader_for_Windows_installscript

cheers guys -I have it running after redploying from scratch, leaving everything running as the root user for now