Configured but inactive Splunk-2-Splunk Forwards

barryv · ‎11-10-2010

Hello,

I am trying to install a light forwarder and I am kind of stumped.

I did the following steps:

sudo /opt/splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable app SplunkLightForwarder -auth admin
sudo /opt/splunk/bin/splunk restart
./splunk add forward-server   myserver.com:9997 -auth admin
sudo /opt/splunk/bin/splunk restart

And at the end I get:

Active Splunk-2-Splunk Forwards:
        None
Configured but inactive Splunk-2-Splunk Forwards:
        myserver.com:9997

Two issues I can think of are that my indexer is 4.1.4 while forwarder is 4.1.5 - is that a problem? Also, how do I check if splunk runs into any firewall issue?

I know the Indexer is fine, as I have another splunk forwarder working fine.

Any Ideas how I make the forwarder active? How do I debug this?

Thanks!

miteshvohra · ‎07-13-2013

No firewall, SearchHead, Indexer and UF all three on different Ubuntu Linux (64-bit) boxes.

ta_viewpointcs · ‎06-27-2013

This is happening to me with firewall turned OFF and forwarder version 5.03 in Windows.

gregcoats · ‎01-10-2013

I experienced this same "Configured but inactive forwards" problem. For me, the firewall was not the issue. Splunk Support confirmed to me that there is a bug in Splunk forwarder 5.0.1. I posted the details of the successful work around solution at

http://splunk-base.splunk.com/answers/70729/

barryv · ‎11-11-2010

I have solved this to be a firewall issue. Port 9997 was blocked on the forwarder. Would be nice to have some indication of this from splunk.

colares · ‎03-02-2013

Worked for me. ex.:
(ubuntu)
sudo ufw allow 9997

Configured but inactive Splunk-2-Splunk Forwards

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control