[英]Splunk UF not sending data to indexer
我有 Splunk UF 和 Splunk Enterprise Server,均為 v8.2.1,在 docker 容器中運行,但我無法在 Enterprise Server 上看到與我創建的新索引“mytest”相關的任何數據:
Enterprise Server 將默認端口 9997 作為接收端口激活:
這兩個容器都連接到我創建的“splunk”.network:
"Containers": {
"0f9e44620ce9fba16df21af6d2253c4b02b9714cb3ea126a616f10d06f836eb9": {
"Name": "dspinelli-uf",
"EndpointID": "0e1dd065ee3d815c943a8b52e6107e53a4b57d9e3103b17d1461611543769869",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"3a1a084561eda8013baa8847f4ca30fd68eb74468ff666195bf1c15e0f8a280f": {
"Name": "dspinelli-ent",
"EndpointID": "7159b1a41840f9dfae04b50bb61386f8c3ac2233aee334026b9f1d685cfcf571",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
UF 上的 Inputs.conf:
[splunktcp://9997]
disabled = 0
[http://hec-uf]
description = UF HTTP Event Collector
disabled = 0
token = 4022d42f-9132-442a-8a79-5d3eea1ad40d
index = mytest
indexes = mytest
outputgroup = tcpout
UF 上的 Outputs.conf:
[indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = dspinelli-ent:9997
[tcpout-server://dspinelli-ent:9997]
UF 和 Enterprise Server 之間的通信建立:
netstat -an | grep 9997
tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN
tcp 0 0 172.18.0.3:44420 172.18.0.2:9997 ESTABLISHED
./bin/splunk list forward-server
Active forwards:
dspinelli-ent:9997
Configured but inactive forwards:
None
嘗試 curl 用友加上一些測試數據顯示成功:
curl -k https://x.x.x.x:8087/services/collector \
> -H 'Authorization: Splunk 4022d42f-9132-442a-8a79-5d3eea1ad40d' \
> -d '{"sourcetype": "demo", "event":"Hello, I was sent from UF"}'
{"text":"Success","code":0}
但是,Enterprise Server 中的索引上從未顯示任何數據:
有誰知道這里可能出什么問題或下一步是什么?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.