https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689929#M114809 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268778">@Cyner__</a>&nbsp;,</P><P>at first did you followed the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents</A>&nbsp;?</P><P>In other words:</P><UL><LI>did you checked the open route between UF and Splunk on port 9997 (default)? you can do this using telnet.</LI><LI>did you enabled receiving in Splunk Enterprise ? [Settings &gt; Forwardring and Receiving &gt; Receiving]</LI><LI>did you enabled forwarding in Universal Forwarder?</LI></UL><P>When you did the above steps, you can check the connection using the following search</P><LI-CODE lang="markup">index=_internal host=your_client_host)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Jun 2024 08:35:25 GMT gcusello 2024-06-07T08:35:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689926#M114807 <P>I am newbie to splunk. Any help is appreciated</P><P>So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is when i try to ping test my local computer with VPS server , i have %100 packet loss.</P><P>Also splunkd log file is full of "cooked connection to "my-local-ip" timed out and</P><P>... blocked nfor blocked_seconds=3000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.</P><P>errors</P><P>Thanks for helping. I am waiting for your response</P> Fri, 07 Jun 2024 08:16:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689926#M114807 Cyner__ 2024-06-07T08:16:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689927#M114808 <P>Also i can't find anything in the Splunk Enterprise. Nothing in forwarder management section and no data whatsoever</P> Fri, 07 Jun 2024 08:30:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689927#M114808 Cyner__ 2024-06-07T08:30:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689929#M114809 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268778">@Cyner__</a>&nbsp;,</P><P>at first did you followed the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents</A>&nbsp;?</P><P>In other words:</P><UL><LI>did you checked the open route between UF and Splunk on port 9997 (default)? you can do this using telnet.</LI><LI>did you enabled receiving in Splunk Enterprise ? [Settings &gt; Forwardring and Receiving &gt; Receiving]</LI><LI>did you enabled forwarding in Universal Forwarder?</LI></UL><P>When you did the above steps, you can check the connection using the following search</P><LI-CODE lang="markup">index=_internal host=your_client_host)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Jun 2024 08:35:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689929#M114809 gcusello 2024-06-07T08:35:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689942#M114810 <P>Thanks for the help&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>But my problem is still occurs.</P><P>When i use telnet with 9997 port to my computer (tried both private and public ip) telnet runs "connection timed out" error.</P><P>i already enabled receiving.</P><P>I don't know if i enabled forwarder or not bu i Start'ed it with command and configured output and input file</P><P>&nbsp;</P><P>This is inputs.conf:</P><P>[monitor:///home/cowrie/cowrie/var/log/cowrie/cowrie.json]<BR />index = cowrie<BR />sourcetype = json<BR />disabled = false</P><P>&nbsp;</P><P>this is output.conf:</P><P>[tcpout]<BR />defaultGroup = default-autolb-group</P><P>[tcpout:default-autolb-group]<BR />disabled = false<BR />server = my-private-ip:9997</P><P>&nbsp;</P><P>sorry if i missed something as i said im both new to linux and splunk</P> Fri, 07 Jun 2024 09:13:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689942#M114810 Cyner__ 2024-06-07T09:13:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689944#M114811 <P>ah also when i clicked "data summary" button from splunk enterprise web,&nbsp; i only see "waiting for results"&nbsp;</P> Fri, 07 Jun 2024 09:16:50 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689944#M114811 Cyner__ 2024-06-07T09:16:50Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689946#M114812 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268778">@Cyner__</a>&nbsp;,</P><P>you should run the telnet from the client, not from the Server:</P><LI-CODE lang="markup">telnet my-private-ip 9997</LI-CODE><P>If it doesn't answer there's something in the middle (e.g. personal firewalls) that block the connection.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Jun 2024 09:21:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689946#M114812 gcusello 2024-06-07T09:21:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689949#M114813 <P>Ok. Now i run the telnet &lt;my-forwarders-ip&gt; 9997 command from my windows pc</P><P>The result is "could not open connection to the host. port 9997 .connect failed"&nbsp;</P><P>&nbsp;</P><P>i run for both private ip and public ip.</P><P>My windows firewall is disabled and my forwarders server doesn't even have firewall installed</P><P>&nbsp;</P> Fri, 07 Jun 2024 09:49:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689949#M114813 Cyner__ 2024-06-07T09:49:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689952#M114814 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>i think i found my problem. I don't have open 9997 port on my forwarder server i guess.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyner___0-1717754080314.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31219i9ED30073CD0839FB/image-size/medium?v=v2&amp;px=400" role="button" title="Cyner___0-1717754080314.png" alt="Cyner___0-1717754080314.png" /></span></P><P>this is the screenshot. How can i open the 9997 port</P> Fri, 07 Jun 2024 09:59:59 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689952#M114814 Cyner__ 2024-06-07T09:59:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689967#M114817 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268778">@Cyner__</a>&nbsp;,</P><P>port 9997 must be opened on the Spunk Enterprise, not on the client, you can open the port in [Settings &gt; Forwarding and Receiving &gt; Receiving].</P><P>Infact the telnet test must be done on the client not from the Splunk Server.</P><P>Did you completed al the steps described in the document or in my previous answer?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Jun 2024 11:57:49 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689967#M114817 gcusello 2024-06-07T11:57:49Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689969#M114818 <P>Hi.&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>&nbsp;</P><P>yes i did all. what do you mean by client do you mean the server with forwarder or splunk enterprise ?</P><P>&nbsp;</P><P>and when i try to telnet the splunk server via forwarder server "i think its client" connection always times out.</P><P>i saw my splunk server (my computer i guess) doesn't have any inputs.conf at directory C:\Program Files\Splunk\etc\system\local path.&nbsp;</P><P>what should i do?&nbsp;</P><P>&nbsp;</P><P>best regards</P><P>&nbsp;</P> Fri, 07 Jun 2024 12:12:42 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689969#M114818 Cyner__ 2024-06-07T12:12:42Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689978#M114820 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268778">@Cyner__</a>,</P><P>you have to enable receiving on Splunk Enterprise,</P><P>then you have to check the route from the Universal Forwarder on port 9997 to the Spunk Enterprise (using telnet),</P><P>then you have to configure your outputs.con (as described in the above link) in the Universal Forwarder.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Jun 2024 12:56:24 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-can-t-send-data-to-enterprise/m-p/689978#M114820 gcusello 2024-06-07T12:56:24Z