I am trying to install a light forwarder and I am kind of stumped.
I did the following steps:
sudo /opt/splunk/bin/splunk start sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin sudo /opt/splunk/bin/splunk restart ./splunk add forward-server myserver.com:9997 -auth admin sudo /opt/splunk/bin/splunk restart
And at the end I get:
Active Splunk-2-Splunk Forwards: None Configured but inactive Splunk-2-Splunk Forwards: myserver.com:9997
Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?
I know the Indexer is fine, as I have another splunk forwarder working fine.
Any Ideas how I make the forwarder active? How do I debug this?
I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at