Deployment Architecture

Configured but inactive Splunk-2-Splunk Forwards

barryv
Explorer

Hello,

I am trying to install a light forwarder and I am kind of stumped.

I did the following steps:

sudo /opt/splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin
sudo /opt/splunk/bin/splunk restart
./splunk add forward-server   myserver.com:9997 -auth admin
sudo /opt/splunk/bin/splunk restart

And at the end I get:

Active Splunk-2-Splunk Forwards:
        None
Configured but inactive Splunk-2-Splunk Forwards:
        myserver.com:9997

Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?

I know the Indexer is fine, as I have another splunk forwarder working fine.

Any Ideas how I make the forwarder active? How do I debug this?

Thanks!

Tags (1)

miteshvohra
Contributor

No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.

0 Karma

ta_viewpointcs
Engager

This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.

0 Karma

gregcoats
Explorer

I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at

http://splunk-base.splunk.com/answers/70729/

barryv
Explorer

I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.

colares
Engager

Worked for me. ex.:
(ubuntu)
sudo ufw allow 9997

0 Karma