https://community.splunk.com/t5/Security/Receiving-Data-on-Splunk-Server/m-p/549801#M12208 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233978">@AmyShah</a>,</P><P>if you're not receiving data from a Forwarder you have at first to check if you did all the configuration steps:</P><UL><LI>put Indexer in receiving state [Settings -- Forwarding and Receiving -- Receive Data];</LI><LI>configure Forwarder to send data to that Indexers (<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents</A>), with final restart of the Forwarder;</LI><LI>be sure that the route between them is open (from Forwarder use telnet on the Indexer's 9997 port).</LI></UL><P>If you did all the above configuration steps, you have to check, if you're receiving logs.</P><P>At first check if you're receiving the Splunk internal logs:</P><LI-CODE lang="markup">index=_internal host=&lt;your_host&gt;</LI-CODE><P>If yes, the problem is that you have to configure inputs&nbsp; (<A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingapps" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingapps</A>)&nbsp;or there's a problem on them.</P><P>If not, check again the connection.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Apr 2021 10:27:59 GMT gcusello 2021-04-29T10:27:59Z https://community.splunk.com/t5/Security/Receiving-Data-on-Splunk-Server/m-p/549799#M12207 <P>&nbsp;</P><P>I am unable to receive data from the forwarder to the server However I have added the server</P><P>on server I got</P><P>netstat -auntp | grep 9997</P><P>tcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN<BR />tcp 0 0 myserver:9997 ServerIP:60992 ESTABLISHED</P><P>&nbsp;</P> Thu, 29 Apr 2021 10:11:50 GMT https://community.splunk.com/t5/Security/Receiving-Data-on-Splunk-Server/m-p/549799#M12207 AmyShah 2021-04-29T10:11:50Z https://community.splunk.com/t5/Security/Receiving-Data-on-Splunk-Server/m-p/549801#M12208 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233978">@AmyShah</a>,</P><P>if you're not receiving data from a Forwarder you have at first to check if you did all the configuration steps:</P><UL><LI>put Indexer in receiving state [Settings -- Forwarding and Receiving -- Receive Data];</LI><LI>configure Forwarder to send data to that Indexers (<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents</A>), with final restart of the Forwarder;</LI><LI>be sure that the route between them is open (from Forwarder use telnet on the Indexer's 9997 port).</LI></UL><P>If you did all the above configuration steps, you have to check, if you're receiving logs.</P><P>At first check if you're receiving the Splunk internal logs:</P><LI-CODE lang="markup">index=_internal host=&lt;your_host&gt;</LI-CODE><P>If yes, the problem is that you have to configure inputs&nbsp; (<A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingapps" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/Usingapps</A>)&nbsp;or there's a problem on them.</P><P>If not, check again the connection.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 29 Apr 2021 10:27:59 GMT https://community.splunk.com/t5/Security/Receiving-Data-on-Splunk-Server/m-p/549801#M12208 gcusello 2021-04-29T10:27:59Z