https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114290#M23910 <P>Just doubled-checked. If data is coming in, it's coming through the Indexer not from the Forwarder.</P> Tue, 19 May 2015 19:06:37 GMT tjohnson2 2015-05-19T19:06:37Z https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114288#M23908 <P>Hello,</P> <P>I'm having issues receiving data on my Indexer from the Universal Forwarder. Prior to installing the Universal Forwarder, I confirmed that the Indexer was able to receive data. However, after installing the Universal Forwarder and configuring according to Deployment instructions, I confirmed that the Forward-Server was "Active", Netstat was ESTABLISHED on both servers, the Inputs.conf and Outputs.conf files on the Universal Forwarder were configured to receive UDP Traffic and send traffic to the Indexer. For the purposes of troubleshooting, my OS Firewall has been turned off and I also confirmed that data is showing up in the index= _internal host=forward-server. Data is not updating in the Search Head. Does anyone have any ideas, or know of anything that has been missed.</P> <HR /> <H2>FORWARDER</H2> <P>[root@SplunkForwarder bin]# ./splunk list forward-server<BR /> Active forwards:<BR /> 10.202.192.33:9997<BR /> Configured but inactive forwards:<BR /> None</P> <HR /> <P>[root@SplunkForwarder local]# more inputs.conf <BR /> [default]<BR /> host = Splunk_Forwarder</P> <P>[udp://5514]<BR /> index = pan_logs<BR /> sourcetype = pan_log<BR /> connection_host = ip<BR /> no_appending_timestamp = true<BR /> disabled = 1</P> <P>[udp://514]</P> <H2>disabled = false</H2> <P>[root@SplunkForwarder local]# more outputs.conf <BR /> [tcpout]<BR /> defaultGroup = default-autolb-group</P> <P>[tcpout:default-autolb-group]<BR /> server = 10.202.192.33:9997</P> <P>[tcpout-server://10.202.192.33:9997]</P> <HR /> <H2>INDEXER</H2> <P>[root@SplunkLinux bin]# ./splunk display listen<BR /> Receiving is enabled on port 9997.</P> Mon, 28 Sep 2020 19:59:23 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114288#M23908 tjohnson2 2020-09-28T19:59:23Z https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114289#M23909 <P>Is there really data arriving on port 5514 on the forwarder?</P> Tue, 19 May 2015 18:57:23 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114289#M23909 lguinn2 2015-05-19T18:57:23Z https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114290#M23910 <P>Just doubled-checked. If data is coming in, it's coming through the Indexer not from the Forwarder.</P> Tue, 19 May 2015 19:06:37 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114290#M23910 tjohnson2 2015-05-19T19:06:37Z https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114291#M23911 <P>Solved my issue by add the information in the location "$SPLUNK_HOME/etc/apps/search/local/inputs.conf"</P> <P>This document is also a great resource: <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Useforwardingagentstogetdata">http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Useforwardingagentstogetdata</A></P> Tue, 02 Jun 2015 20:24:13 GMT https://community.splunk.com/t5/Getting-Data-In/Indexer-isn-t-receiving-data-from-the-Universal-Forwarder/m-p/114291#M23911 tjohnson2 2015-06-02T20:24:13Z