Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder Management All clients phoning home later than expected

sdiaz5796
Loves-to-Learn Lots
‎06-19-2025 12:10 PM

We have a stand-alone splunk instance in a closed area. We had to roll back the server to a snapshot and now the clients only phone home when we restart the splunk server. I've looked at the splunk log, phonehome log, checked the outputs.conf. I've run telnet server:8089 and 9997 from the clients and the ports are open listening. Any help would be appreciated.  We are on version 9.3.1 

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-23-2025 11:46 AM

What do you mean by "clients phoning home only when you restart the DS"? How did you determine this? The clients phone home on schedule - it's asynchronous versus whatever the DS is doing.

0 Karma
Reply

sdiaz5796
Loves-to-Learn Lots
‎06-23-2025 11:59 AM

 How did you determine this? - This is what the Forwarder Management Web UI shows us, client phone home time stamp coincides with the restart. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-23-2025 12:46 PM

OK. So this is not (or at least might not be)  about the phonehomes as such but on the info shown in the DS console.

I'd go for

1) Verifying on selected forwarders that the phonehomes are shown in the splunkd.log

2) Checking the logs on the DS itself to see if it can see the phonehomes.

3) Checking if you have the selective routing properly configured on the DS. https://help.splunk.com/en/splunk-enterprise/administer/manage-distributed-deployments/9.2/configure... (it's not about upgraded instances only; we had this issue lately on a new installation of 9.3.something).

0 Karma
Reply

LAME-Creations
Path Finder
‎06-19-2025 04:44 PM
It sounds like your clients (forwarders) are not consistently communicating with the Splunk instance after the snapshot rollback. Since telnet confirms ports 8089 and 9997 are open, and the issue only resolves temporarily after restarting the Splunk server, here are a few steps to troubleshoot:
  1. Check Forwarder Configuration: Verify the deploymentclient.conf on the clients points to the correct Splunk server hostname/IP and port (8089 for management). Ensure the phoneHomeIntervalInSecs is set appropriately (default is 60 seconds).
  2. Validate Server Rollback Impact: The rollback may have caused a mismatch in SSL certificates or server identity. Check if the server’s server.conf or certificates (in $SPLUNK_HOME/etc/auth/) were altered. Regenerate or redeploy certificates if needed.
  3. Inspect Splunkd Logs on Clients: Look at $SPLUNK_HOME/var/log/splunk/splunkd.log on the clients for errors related to connection failures or authentication issues when phoning home.
  4. Network Stability: Ensure there are no intermittent network issues or firewalls blocking consistent communication. Test with tcpdump or netstat on the server to confirm client connections.
  5. Indexer Acknowledgment: If using indexer acknowledgment, verify the outputs.conf on clients has useACK=true and check for any backlog in the indexing queue on the server.
  6. Splunk Version Compatibility: Confirm the forwarders are on a compatible version with 9.3.1. If not, upgrade them to match.
Try restarting the forwarders after checking the above. If the issue persists, share any relevant errors from the client or server logs for further assistance.
0 Karma
Reply

sdiaz5796
Loves-to-Learn Lots
‎06-23-2025 10:08 AM

Still no success after attempting all the steps below. Checked splunkd log on a few fowarders as well as the Deployment server and neither indicated connection errors. One question I have is in regards to indexes. From the webui i see the _dsphonehome, _dsappevent, _dsclient, but I don't see those indexes in the indexes.conf file on the deployment server. Another note is I found this and wondering if this could help? Our Splunk instance is at version 9.3.1.

 

https://community.splunk.com/t5/Splunk-Enterprise/After-upgrading-my-DS-to-Enterprise-9-2-2-clients-...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...