Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Forwarders not forwarding
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a splunk index running at host1:9997
(used this command to enable it /opt/splunk/bin/splunk enable listen 9997)
I installed forwarder using splunkforwarder-6.2.2-255606-linux-2.6-x86_64.rpm
I added inputs.conf and its content is like this:
[root@/opt/splunkforwarder/etc/system/local]# cat inputs.conf
[default]
host = host2
[monitor:///tmp/test-splunk.csv]
sourcetype = test_result
disabled = 0
index = test_result
[root@/opt/splunkforwarder/etc/system/local]# /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
host1:9997
[root@/opt/splunkforwarder/etc/system/local]# ls -l /tmp/test-splunk.csv
-rw-r--r-- 1 root root 3704 Feb 25 07:22 /tmp/holodeck-splunk.csv
I restarted the forwarder but still active forwards says none.
Though the files are owned by root, perms seems correct.
Am I missing any steps?
I followed the steps from:
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem got solved when I added the index on the indexer.
I followed the instructions given at
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html
It did not mention about adding the index name to the indexer. I missed this step.
Now, its all good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem got solved when I added the index on the indexer.
I followed the instructions given at
http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html
It did not mention about adding the index name to the indexer. I missed this step.
Now, its all good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added the outputs.conf as mentioned above. Changed the server to have the index host listening on 9997
Here is my outputs.conf:
[tcpout]
autoLB = true
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = host1:9997
[tcpout-server://host1:9997]
Here is the output
tail -100f /opt/splunkforwarder/var/log/splunk/splunkd.log | grep TcpOutputProc
02-25-2015 08:16:11.051 +0000 INFO TcpOutputProc - Initializing with fwdtype=lwf
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - found Blacklist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to host1:9997
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - tcpout group default-autolb-group using Auto load balanced forwarding
02-25-2015 08:16:11.057 +0000 INFO TcpOutputProc - Group default-autolb-group initialized with maxQueueSize=512000 in bytes.
02-25-2015 08:16:11.152 +0000 INFO TcpOutputProc - Connected to idx=10.90.108.107:9997
How to verify this step:
check if you have enabled receiving on indexer with port 9997
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see your UF is connected to Indexer. Are you still facing problem?
Here is command to enable receiving on indexer
./splunk enable listen 9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Outputs.conf seems to be missing.
[tcpout]
autoLB = true
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
disabled = false
server = 192.168.10.3:9997,192.168.10.4:9997,192.168.10.8:9997
Also check if you have enabled receiving on indexer with port 9997.
If problem still persist, then check below & share result-
tail -100f splunkd.log | grep TcpOutputProc
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
