Splunk UF 不向索引器发送数据

Splunk UF not sending data to indexer

我有 Splunk UF 和 Splunk Enterprise Server,都是 v8.2.1,运行 在 docker 容器中,但我无法在 Enterprise Server 上看到与新索引 I 相关的任何数据已创建,'mytest':

企业服务器将默认端口 9997 作为接收端口激活:

两个容器都连接到 'splunk' 我创建的网络:

        "Containers": {
        "0f9e44620ce9fba16df21af6d2253c4b02b9714cb3ea126a616f10d06f836eb9": {
            "Name": "dspinelli-uf",
            "EndpointID": "0e1dd065ee3d815c943a8b52e6107e53a4b57d9e3103b17d1461611543769869",
            "MacAddress": "02:42:ac:12:00:03",
            "IPv4Address": "172.18.0.3/16",
            "IPv6Address": ""
        },
        "3a1a084561eda8013baa8847f4ca30fd68eb74468ff666195bf1c15e0f8a280f": {
            "Name": "dspinelli-ent",
            "EndpointID": "7159b1a41840f9dfae04b50bb61386f8c3ac2233aee334026b9f1d685cfcf571",
            "MacAddress": "02:42:ac:12:00:02",
            "IPv4Address": "172.18.0.2/16",
            "IPv6Address": ""
        }
用友

Inputs.conf:

[splunktcp://9997]
disabled = 0

[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
index = mytest
indexes = mytest
outputgroup = tcpout

Outputs.conf 用友:

[indexAndForward]
index = false

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = dspinelli-ent:9997

[tcpout-server://dspinelli-ent:9997]

用友与企业服务器建立通信:

netstat -an | grep 9997
tcp        0      0 0.0.0.0:9997            0.0.0.0:*               LISTEN
tcp        0      0 172.18.0.3:44420        172.18.0.2:9997         ESTABLISHED

./bin/splunk list forward-server
Active forwards:
        dspinelli-ent:9997
Configured but inactive forwards:
        None

尝试用一些测试数据卷曲 UF 显示成功:

curl -k https://x.x.x.x:8087/services/collector \
> -H 'Authorization: Splunk 4022d42f-9132-442a-8a79-5d3eea1ad40d' \
> -d '{"sourcetype": "demo", "event":"Hello, I was sent from UF"}'
{"text":"Success","code":0}

但是,Enterprise Server 中的索引上从未显示任何数据:

有谁知道这里可能出了什么问题或接下来的步骤是什么?

问题出在 inputs.conf。更新如下:

[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
_TCP_ROUTING = *
index = _internal

在 update/restart 之后开始在 Enterprise 上接收消息: