Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configured but inactive Splunk-2-Splunk Forwards

barryv
Explorer
‎11-10-2010 09:53 PM

Hello,

I am trying to install a light forwarder and I am kind of stumped.

I did the following steps:

sudo /opt/splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin
sudo /opt/splunk/bin/splunk restart
./splunk add forward-server   myserver.com:9997 -auth admin
sudo /opt/splunk/bin/splunk restart

And at the end I get:

Active Splunk-2-Splunk Forwards:
        None
Configured but inactive Splunk-2-Splunk Forwards:
        myserver.com:9997

Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?

I know the Indexer is fine, as I have another splunk forwarder working fine.

Any Ideas how I make the forwarder active? How do I debug this?

Thanks!

Tags (1)
Reply

miteshvohra
Contributor
‎07-13-2013 10:51 PM

No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.

0 Karma
Reply

ta_viewpointcs
Engager
‎06-27-2013 04:56 PM

This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.

0 Karma
Reply

gregcoats
Explorer
‎01-10-2013 12:46 PM

I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at

http://splunk-base.splunk.com/answers/70729/

Reply

barryv
Explorer
‎11-11-2010 02:07 PM

I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.

Reply

colares
Engager
‎03-02-2013 01:06 PM

Worked for me. ex.:
(ubuntu)
sudo ufw allow 9997

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...