Can a built-in fowarder without configuration opti...

gbowden_pheaa · ‎03-23-2017

We are trying to connect a Mobileiron built-in Splunk forwarder to an indexer cluster. At best we get an intermittent connection. Whenever we recycle the Mobileiron splunk daemon we see the following message from an indexer:

timestamp INFO TcpInputProc - clustering is enabled but ACK not enabled on forwarder=ip_address

We do not get any other messages after this.

Shouldn't an indexer accept a connection whether useAck is loaded or not from a forwarder? Are there any indexer configurations to accept useAck=false (default)?

schandrasekar · ‎10-13-2020

Hi, I am looking at how to integrate MobileIron Core data to Splunk HFs or Splunk Index cluster. Any leads, please?

Masa · ‎03-24-2017

"""
Shouldn't an indexer accept a connection whether useAck is loaded or not from a forwarder?
Are there any indexer configurations to accept useAck=false (default)?
"""
Yes, Indexer Clustering can accept default (useAck=false) settings. The message is INFO level and not indicating any connection issue.

Can a built-in fowarder without configuration options (useAck) connect to a Splunk indexer cluster that uses "useAck"?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?