https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91822#M19092 <UL> <LI>The unix inputs goes to the "os" index by default, check in every indexes with index=*.</LI> <LI>the UF have a slow thruput by default, it may still be forwarding old logs.</LI> <LI>when you opened the port 9997 on the indexer, was it as tcp ( in the inputs manager), or as splunktcp (in the forward and received manager) ? The correct one is the second and look like <CODE>[splunktcp://9997]</CODE> in inputs.conf</LI> <LI>no firewall ? try a <CODE>telnet redactedservername 9997</CODE> from the forwarders</LI> </UL> <P>finally, read the logs in $SPLUNK_HOME/var/log/splunk/splunkd.log in both side.</P> Tue, 16 Oct 2012 15:44:56 GMT yannK 2012-10-16T15:44:56Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91821#M19091 <P>Hi, I have configured a basic splunk instance and it is indexing locally. I wanted to add a universal forwarder from another linux server and have the *nix app forward to the indexer. I have configured a data input on the indexer on port 9997 which shows as active (I checked it with strobe from another machine).</P> <P>I installed the universal forwarder on a different server and set up the indexer as the forward server. It shows as inactive.<BR /> /opt/splunkforwarder/bin # ./splunk list forward-server<BR /> Your session is invalid. Please login.<BR /> Splunk username: admin<BR /> Password: <BR /> Active forwards:<BR /> None<BR /> Configured but inactive forwards:<BR /> <SERVERNAME redacted="">:9997</SERVERNAME></P> <P>Any help is appreciated.</P> Tue, 16 Oct 2012 15:21:34 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91821#M19091 jplangan 2012-10-16T15:21:34Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91822#M19092 <UL> <LI>The unix inputs goes to the "os" index by default, check in every indexes with index=*.</LI> <LI>the UF have a slow thruput by default, it may still be forwarding old logs.</LI> <LI>when you opened the port 9997 on the indexer, was it as tcp ( in the inputs manager), or as splunktcp (in the forward and received manager) ? The correct one is the second and look like <CODE>[splunktcp://9997]</CODE> in inputs.conf</LI> <LI>no firewall ? try a <CODE>telnet redactedservername 9997</CODE> from the forwarders</LI> </UL> <P>finally, read the logs in $SPLUNK_HOME/var/log/splunk/splunkd.log in both side.</P> Tue, 16 Oct 2012 15:44:56 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91822#M19092 yannK 2012-10-16T15:44:56Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91823#M19093 <P>I used the wrong place to configure the receiving port. I needed to use Manager &gt;&gt; Forwarding and receiving &gt;&gt;Configure Receiving to configure it. It does now say that the forwarder is active.</P> <P>I need to tell the forwarder what to send now, somehow. </P> <P>Thanks!</P> Tue, 16 Oct 2012 15:55:27 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-get-universal-forwarder-to-become-active-Linux/m-p/91823#M19093 jplangan 2012-10-16T15:55:27Z