I've run through the installation process and quadruple-checked my work, but nothing is showing up in Splunk. We have 3 indexers and 1 search head. One thing that isn't clear is whether port 9997 (referenced in the install doc) is UDP or TCP. Our search head isn't using "Forwarding and Receiving", so I just configured UDP 9997 and TCP 9997 in Settings->Data Inputs->UDP (and TCP respectively). The Bit9 server is writing trace files to my export directory as expected. I'm a Splunk newbie, and I've obviously screwed up something, but I'm at a loss to know where else to look.
↧