Splunk add monitor /var/log # this is locally done on universal forwarder, since index not defined, if anything successful to monitor, it should be going to index=main in splunk side. Splunk add forward-server localhost:9997 -auth admin:changeme # this is telling universal forwarder where to forward data (generally an indexer, sometimes HF) i can think of an exception only in systems like containers which you may want to preconfigure each container to make them start sending immediately.Īssuming, your automation will take place in clustered environment, you may want to read little more in Splunk architecture, checking on the commands you have put: One key thing to note, you do monitoring automation with Splunk deployment server in modern systems. automation via Splunk cli commands (as you have tried in the question).automation via Splunk configuration files.for ansible automation, i guess we can think of 2 strategies, If it is a single instance as I thought, then you can just add from ui.
From that point on, whether you have monitors or not, forwarder should be starting its internal logs to Splunk indexer. So if it Universal forwarder, you will be pointing it to your deployment server first, which can deploy nf file into forwarder to tell, where are your indexers are. It seems like you didn't installed Splunk forwarder but Splunk EP single instance. Ideally splunktcp should also get create automatically once I enable the port but it didn't get created and I added it manually.
Can I use localhost as both Splunk forwarder and indexer which is what I am doing here?.Is my understanding right of separate entry should get created on UI?.My understanding is it should log a separate entry on UI under settings->datainputs for /var/log, right?Īlso, I enabled port 9997 by using following command: splunk enable listen 9997 -auth admin:changeme Now when I am trying following command to add forward-server (indexer) and monitor(data input), i cant see anything on UI.īelow are the commands: splunk add forward-server localhost:9997 -auth admin:changeme I have installed Splunk forwarder on my Red Hat machine (localhost) and I can access Splunk through localhost:8000. I am trying to automate the Splunk forwarder configuration through Ansible but before that I want to try manually through command line.
I am very new to Splunk and have been trying to understand it.
0 kommentar(er)
