Verification

Verifying the Installation

• To check the status of the Splunk forwarder run the following command: sudo ./splunk status

• To verify the connection to the indexer run the following command:

sudo ./splunk list forward-server

Verifying the Port

Ensure that the outbound port 9997 (the default Splunk receiving port) is opened on your Linux machine: Open Port 9997 (if using a firewall like firewalld):

 

Verifying the Forwarder Status

You can verify that the forwarder is active and sending data to Splunk Cloud by running the following command:

sudo /opt/splunkforwarder/bin/splunk list forward-server

You should see a status like Active if the connection to Splunk Cloud is working correctly.

 

Verifying the Data in Splunk Cloud

  1. Log in to your Splunk Cloud instance.

  2. Go to Search & Reporting and search for the incoming logs:

index=_internal host=<your_linux_host>

You can also search for data from /var/log/messages:

index=* source="/var/log/messages"