Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Configured but inactive Splunk-2-Splunk Forwards
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configured but inactive Splunk-2-Splunk Forwards
Hello,
I am trying to install a light forwarder and I am kind of stumped.
I did the following steps:
sudo /opt/splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin
sudo /opt/splunk/bin/splunk restart
./splunk add forward-server myserver.com:9997 -auth admin
sudo /opt/splunk/bin/splunk restart
And at the end I get:
Active Splunk-2-Splunk Forwards:
None
Configured but inactive Splunk-2-Splunk Forwards:
myserver.com:9997
Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?
I know the Indexer is fine, as I have another splunk forwarder working fine.
Any Ideas how I make the forwarder active? How do I debug this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked for me. ex.:
(ubuntu)
sudo ufw allow 9997
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
