Deployment Architecture

Configured but inactive Splunk-2-Splunk Forwards

barryv
Explorer

Hello,

I am trying to install a light forwarder and I am kind of stumped.

I did the following steps:

sudo /opt/splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin
sudo /opt/splunk/bin/splunk restart
./splunk add forward-server   myserver.com:9997 -auth admin
sudo /opt/splunk/bin/splunk restart

And at the end I get:

Active Splunk-2-Splunk Forwards:
        None
Configured but inactive Splunk-2-Splunk Forwards:
        myserver.com:9997

Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?

I know the Indexer is fine, as I have another splunk forwarder working fine.

Any Ideas how I make the forwarder active? How do I debug this?

Thanks!

Tags (1)

miteshvohra
Contributor

No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.

0 Karma

ta_viewpointcs
Engager

This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.

0 Karma

gregcoats
Explorer

I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at

http://splunk-base.splunk.com/answers/70729/

barryv
Explorer

I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.

colares
Engager

Worked for me. ex.:
(ubuntu)
sudo ufw allow 9997

0 Karma
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...