https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84309#M2791 <P>On forwarder:<BR /> ttcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 14095/splunkd<BR /><BR /> tcp 0 0 FORWARDERIP:33750 SERVERIP:9997 TIME_WAIT -<BR /><BR /> tcp 0 0 FORWARDERIP:32878 SERVERIP:9997 ESTABLISHED 14095/splunkd<BR /><BR /> tcp 0 0 FORWARDERIP:33749 SERVERIP:9997 TIME_WAIT -<BR /><BR /> tcp 0 0 FORWARDERIP:33751 SERVERIP:9997 ESTABLISHED 14095/splunkd</P> Mon, 28 Sep 2020 09:28:23 GMT franklovecchio 2020-09-28T09:28:23Z https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84306#M2788 <P>So, I'm new, and having a bit of trouble <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I have a Splunk instance running, we'll call it my server (can access GUI), that I'm trying to configure to listen on port 9997. I have another box which is setup as a "forwarder", and to configure it, I ran "splunk add forward-server serverIP:9997" and "splunk set splunkd-port 9997" (I changed the mgmt port because not changing it didn't work either).</P> <P>So, from the GUI on the server, I click "Manage", "Data Inputs", "TCP", and I try to add a new port to receive data on (9997). When I say add syslog from all incoming hosts on this port, I get the error "Encountered the following error while trying to save: In handler 'raw': Parameter name: TCP port 9997 is not available". Why would this be? I'm on amazon ec2, and definitely have the ports 9997, 8000, and 8089 opened. Please help!</P> Tue, 19 Apr 2011 17:13:49 GMT https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84306#M2788 franklovecchio 2011-04-19T17:13:49Z https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84307#M2789 <P>netstat -tnap | grep 9997</P> <P>anything else currently bound to that port?</P> Tue, 19 Apr 2011 17:14:39 GMT https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84307#M2789 netwrkr 2011-04-19T17:14:39Z https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84308#M2790 <P>I don't think so - looks about right to me!</P> <P>On server:<BR /> tcp 0 0 SERVERIP:9997 FORWARDERIP:33749 ESTABLISHED 10923/splunkd<BR /><BR /> tcp 0 0 SERVERIP:9997 FORWARDERIP:32878 ESTABLISHED 10923/splunkd</P> Tue, 19 Apr 2011 17:22:19 GMT https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84308#M2790 franklovecchio 2011-04-19T17:22:19Z https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84309#M2791 <P>On forwarder:<BR /> ttcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 14095/splunkd<BR /><BR /> tcp 0 0 FORWARDERIP:33750 SERVERIP:9997 TIME_WAIT -<BR /><BR /> tcp 0 0 FORWARDERIP:32878 SERVERIP:9997 ESTABLISHED 14095/splunkd<BR /><BR /> tcp 0 0 FORWARDERIP:33749 SERVERIP:9997 TIME_WAIT -<BR /><BR /> tcp 0 0 FORWARDERIP:33751 SERVERIP:9997 ESTABLISHED 14095/splunkd</P> Mon, 28 Sep 2020 09:28:23 GMT https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84309#M2791 franklovecchio 2020-09-28T09:28:23Z https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84310#M2792 <P>You're mixing different types of inputs here. I'm unsure as to whether that in itself would cause the problems you describe, but when receiving forwarded data from another Splunk instance, you should configure a corresponding receiver rather than a 'raw' data input. Go to Manager -&gt; Forwarding and receiving -&gt; Configure receiving -&gt; Add new. Since you have established connections on port 9997 on the server it seems someone might already have done this!</P> Wed, 20 Apr 2011 11:31:03 GMT https://community.splunk.com/t5/Security/Noob-Can-t-add-TCP-Port-9997-Error-in-handler-raw/m-p/84310#M2792 Ayn 2011-04-20T11:31:03Z