I am trying to install a light forwarder and I am kind of stumped.
I did the following steps:
sudo /opt/splunk/bin/splunk start sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin sudo /opt/splunk/bin/splunk restart ./splunk add forward-server myserver.com:9997 -auth admin sudo /opt/splunk/bin/splunk restart
And at the end I get:
Active Splunk-2-Splunk Forwards: None Configured but inactive Splunk-2-Splunk Forwards: myserver.com:9997
Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?
I know the Indexer is fine, as I have another splunk forwarder working fine.
Any Ideas how I make the forwarder active? How do I debug this?
No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.
This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.
I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at
I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.
Worked for me. ex.:
sudo ufw allow 9997