Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwarder data transfer not working

chirag3pillar
Explorer
‎12-20-2013 05:04 AM

I have set up an indexer and a forwwarder

On forwarder, the logs are -

12-20-2013 09:36:24.224 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:24.224 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Detected connection to 192.168.1.40:9997 closed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Will close stream to current indexer 192.168.1.40:9997
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Closing stream for idx=192.168.1.40:9997
12-20-2013 09:36:25.684 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:25.684 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed

12-20-2013 09:36:31.366 +0530 INFO TcpOutputProc - Connection to 192.168.1.40:9997 closed. Connection closed by server.

The indexer on the server is receiving data on 9997 (As the port is open) but there is no data transfer

Please let me know what i am doing wrong. I am a production 20 GB limit licensed user for Splunk

Thanks

Tags (1)
0 Karma
Reply

chirag3pillar
Explorer
‎12-20-2013 05:49 AM

solved it, thanks - index = main solved it

0 Karma
Reply

woodcock
Esteemed Legend
‎10-25-2017 07:38 PM

You should click Accept to close this question.

0 Karma
Reply

lukejadamec
Super Champion
‎12-20-2013 05:42 AM

It sounds like you may be having a problem with the connnectionhost config. See this answer for more details.

http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer

Basically, it says you should try adding this to your indexer:

    Etc/system/local/inputs.conf

    [splunktcp://9997] 
connection_host = none
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...