Splunk UF 不向索引器发送数据
Splunk UF not sending data to indexer
我有 Splunk UF 和 Splunk Enterprise Server,都是 v8.2.1,运行 在 docker 容器中,但我无法在 Enterprise Server 上看到与新索引 I 相关的任何数据已创建,'mytest':
企业服务器将默认端口 9997 作为接收端口激活:
两个容器都连接到 'splunk' 我创建的网络:
"Containers": {
"0f9e44620ce9fba16df21af6d2253c4b02b9714cb3ea126a616f10d06f836eb9": {
"Name": "dspinelli-uf",
"EndpointID": "0e1dd065ee3d815c943a8b52e6107e53a4b57d9e3103b17d1461611543769869",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"3a1a084561eda8013baa8847f4ca30fd68eb74468ff666195bf1c15e0f8a280f": {
"Name": "dspinelli-ent",
"EndpointID": "7159b1a41840f9dfae04b50bb61386f8c3ac2233aee334026b9f1d685cfcf571",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
用友Inputs.conf:
[splunktcp://9997]
disabled = 0
[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
index = mytest
indexes = mytest
outputgroup = tcpout
Outputs.conf 用友:
[indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = dspinelli-ent:9997
[tcpout-server://dspinelli-ent:9997]
用友与企业服务器建立通信:
netstat -an | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 172.18.0.3:44420 172.18.0.2:9997 ESTABLISHED
./bin/splunk list forward-server
Active forwards:
dspinelli-ent:9997
Configured but inactive forwards:
None
尝试用一些测试数据卷曲 UF 显示成功:
curl -k https://x.x.x.x:8087/services/collector \
> -H 'Authorization: Splunk 4022d42f-9132-442a-8a79-5d3eea1ad40d' \
> -d '{"sourcetype": "demo", "event":"Hello, I was sent from UF"}'
{"text":"Success","code":0}
但是,Enterprise Server 中的索引上从未显示任何数据:
有谁知道这里可能出了什么问题或接下来的步骤是什么?
问题出在 inputs.conf。更新如下:
[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
_TCP_ROUTING = *
index = _internal
在 update/restart 之后开始在 Enterprise 上接收消息:
我有 Splunk UF 和 Splunk Enterprise Server,都是 v8.2.1,运行 在 docker 容器中,但我无法在 Enterprise Server 上看到与新索引 I 相关的任何数据已创建,'mytest':
企业服务器将默认端口 9997 作为接收端口激活:
两个容器都连接到 'splunk' 我创建的网络:
"Containers": {
"0f9e44620ce9fba16df21af6d2253c4b02b9714cb3ea126a616f10d06f836eb9": {
"Name": "dspinelli-uf",
"EndpointID": "0e1dd065ee3d815c943a8b52e6107e53a4b57d9e3103b17d1461611543769869",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"3a1a084561eda8013baa8847f4ca30fd68eb74468ff666195bf1c15e0f8a280f": {
"Name": "dspinelli-ent",
"EndpointID": "7159b1a41840f9dfae04b50bb61386f8c3ac2233aee334026b9f1d685cfcf571",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
用友Inputs.conf:
[splunktcp://9997]
disabled = 0
[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
index = mytest
indexes = mytest
outputgroup = tcpout
Outputs.conf 用友:
[indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = dspinelli-ent:9997
[tcpout-server://dspinelli-ent:9997]
用友与企业服务器建立通信:
netstat -an | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 172.18.0.3:44420 172.18.0.2:9997 ESTABLISHED
./bin/splunk list forward-server
Active forwards:
dspinelli-ent:9997
Configured but inactive forwards:
None
尝试用一些测试数据卷曲 UF 显示成功:
curl -k https://x.x.x.x:8087/services/collector \
> -H 'Authorization: Splunk 4022d42f-9132-442a-8a79-5d3eea1ad40d' \
> -d '{"sourcetype": "demo", "event":"Hello, I was sent from UF"}'
{"text":"Success","code":0}
但是,Enterprise Server 中的索引上从未显示任何数据:
有谁知道这里可能出了什么问题或接下来的步骤是什么?
问题出在 inputs.conf。更新如下:
[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
_TCP_ROUTING = *
index = _internal
在 update/restart 之后开始在 Enterprise 上接收消息: