Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why Can't I connect to heavy forwarder GUI?

jmrubio
Path Finder
‎09-13-2023 08:55 AM

I am getting a 500 internal server error when I try to connect to the HF GUI. I ran firewall-cmd --list-ports, and it shows 8000/tcp. I also checked web.conf, and it shows enableSplunkWebSSL = 1, as well as httport = 8000. What else can I check? I appreciate the help in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-13-2023 11:45 PM

Hi

when you got error code 500 you obviously got connection to splunkd's http part, but for some reason it didn't work correctly. How you are try to connect and from where?

Did this work on HF host?

curl -vk https://localhost:8000

And how about when you switch localhost to your host real name and/or IP?

Are there anything on splunk's internal logs under /opt/splunk/var/log/splunk (access + splunkd) logs?

r. Ismo 

Reply

jmrubio
Path Finder
‎09-18-2023 07:38 AM

Hello @isoutamo ,

Sorry for the late response. So in the splunkd.logs all of the messages are - WARN TcpOutputProc [16779 indexerPipe] - The TCP output processor has paused the data flow. Forwarding to host_dest=<IP> inside output group default-autolb-group from host_src=Splunk_Heavy_Forwarder has been blocked for blocked_seconds=355350. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 

And the last message in the splunkd_access.log is from June  : (

I am trying to connect to the HF through the web, and the cURL command returned a 303 error "The resource has moved temporarily"

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-18-2023 11:52 AM

If there are no new entries in your access log it could signal storage problems. Did you check your free disk space?

0 Karma
Reply

jmrubio
Path Finder
‎09-13-2023 09:13 AM

Hello @gcusello,

Firewalld is running, and I do not see anything disabling web interface in server.conf. The "trustedIP" is commented out, but I do not know if that matters.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 11:25 PM

Hi @jmrubio,

if firewalld is running this could be the issue.

Try to disable it (or permit traffic on port 8000) and check if you can access web interface.

Ciao.

Giuseppe

0 Karma
Reply

jmrubio
Path Finder
‎09-18-2023 07:58 AM

Hello @gcusello,

I tried ss -na | grep 8000 and it returned:

tcp  LISTEN  0  128  *:8000  *:*

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2023 09:03 AM

Hi @jmrubio,

did you disabled firewalld?

systemctl stop firewalld
systemctl disable firewalld

Ciao.

Giuseppe

0 Karma
Reply

jmrubio
Path Finder
‎09-18-2023 09:36 AM

Is that the only way to get the data in? This is a production server and I don't think I will be able to disable/stop firewalld.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2023 09:00 AM

Hi @jmrubio ,

did you disabled local firewall on this server?

check if you disabled web interface in server.conf.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...