https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330310#M61225 <P>You also need to tell the indexer to listen. This should be on by default but you can check this:</P> <P><A href="http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/Enableareceiver">http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/Enableareceiver</A></P> Fri, 14 Apr 2017 15:28:44 GMT woodcock 2017-04-14T15:28:44Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330308#M61223 <P>I am forwarding data of one log file from 1 Heavy Forwarder to 2 Indexers. But the heavy forwarder is sending data only to Indexer2. </P> <P><STRONG>- I confirmed it by running query on my searchhead and checking value in field "splunk_server". It was showing just one indexer , i.e Indexer2.</STRONG></P> <P><STRONG>OUTPUTS.CONF</STRONG></P> <PRE><CODE>[indexAndForward] index = false [tcpout] defaultGroup = grp forwardedindex.filter.disable = true [tcpout:grp] disabled = 0 # server = 00.000.0.00:9997,00.000.0.00:9997 server = Indexer1:9997,Indexer2:9997 useACK=true forceTimebasedAutoLB = true </CODE></PRE> <P><STRONG>INPUTS.CONF</STRONG></P> <PRE><CODE>[monitor:///var/log/Folder1/Folder2] host_segment=5 index=SomeIndex sourcetype=SomeSourcetype disabled=0 </CODE></PRE> <P><STRONG>PROPS.CONF</STRONG></P> <PRE><CODE>[SomeSourcetype] DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = false TIME_FORMAT = %b %d %H:%M:%S TRANSFORMS = syslog-host category = Operating System description = Somedescription disabled = false maxDist = 3 pulldown_type = true </CODE></PRE> <P>Output of Command - ./splunk list forward-server</P> <PRE><CODE>Active forwards: Indexer1:9997 Indexer2.synaptics.com:9997 Configured but inactive forwards: None </CODE></PRE> <P>I am able to ping to both indexers. Packets are being sent. I checked it through linux command "tcpdump dst indexer1" .</P> <P><STRONG>Please help.</STRONG> </P> Fri, 14 Apr 2017 13:11:01 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330308#M61223 abhinav_maxonic 2017-04-14T13:11:01Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330309#M61224 <P>Have you looked in the _internal logs to see what's happening?</P> <P>Are there any events like:</P> <PRE><CODE>04-14-2017 10:03:46.851 -0400 ERROR TcpOutputFd - Connection to host=Indexer1:9997 failed </CODE></PRE> <P>I also noticed that Indexer2 has the FQDN whereas Indexer1 does not. can your HF resolve both hostnames as you have them specified?</P> <P>And are there any firewalls in between the HF and the indexers?</P> Fri, 14 Apr 2017 14:06:29 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330309#M61224 jimodonald 2017-04-14T14:06:29Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330310#M61225 <P>You also need to tell the indexer to listen. This should be on by default but you can check this:</P> <P><A href="http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/Enableareceiver">http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/Enableareceiver</A></P> Fri, 14 Apr 2017 15:28:44 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330310#M61225 woodcock 2017-04-14T15:28:44Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330311#M61226 <P>Hi Jim,<BR /> I am using FQDN for both indexers. I have edited my question. I checked my splunkd logs , yes this error is present in log . It occurred just once when I have initially set up this forwarding. <BR /> So what wrong here ? What should I do ? <BR /> I more thing, I am also forwarding some other logs from this HF, it is being load balanced properly two both indexers.</P> Mon, 17 Apr 2017 04:51:08 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330311#M61226 abhinav_maxonic 2017-04-17T04:51:08Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330312#M61227 <P>Receiving is enabled. </P> Mon, 17 Apr 2017 04:51:29 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330312#M61227 abhinav_maxonic 2017-04-17T04:51:29Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330313#M61228 <P>Here is a better search to use:</P> <PRE><CODE>index=_* (9997 OR 9998) (ERR* OR WARN* OR too) source!="*remote_searches.log" source!="*splunkd_ui_access.log" | rex "(?&lt;indexer&gt;\d+\.\d+\.\d+\.\d+):9997" | stats count first(_raw) AS first_raw BY punct host indexer | eval host_count = host . "=" . count | stats sum(count) AS count first(first_raw) AS first_raw values(host_count) BY punct indexer | sort 0 - count </CODE></PRE> Thu, 20 Apr 2017 19:31:45 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330313#M61228 woodcock 2017-04-20T19:31:45Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330314#M61229 <P>I am not getting any of my machine name sending logs or host name listed under "values(host_count)". But I am receiving logs. <BR /> Do I have to look for anything else in the output of this query ?</P> Fri, 21 Apr 2017 09:43:44 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330314#M61229 abhinav_maxonic 2017-04-21T09:43:44Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330315#M61230 <P>This query should show you which Indexers are having the most communication problems overall and also specifically with which hosts. If you don't see your specific hosts in <CODE>values(host_count)</CODE> then these are not forwarding to the indexers AT ALL. If that is the case, I suspect that the <CODE>outputs.conf</CODE> on those hosts does not include those indexers.</P> Fri, 21 Apr 2017 16:56:05 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330315#M61230 woodcock 2017-04-21T16:56:05Z https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330316#M61231 <P>No , my machines are sending data, I can see them on my search head. Its just for few input monitor it is sending data but not doing the load balancing properly. </P> Mon, 24 Apr 2017 05:11:44 GMT https://community.splunk.com/t5/Getting-Data-In/Heavy-forwarder-not-doing-load-balancing-properly/m-p/330316#M61231 abhinav_maxonic 2017-04-24T05:11:44Z