Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: forwarder data transfer not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forwarder data transfer not working
I have set up an indexer and a forwwarder
On forwarder, the logs are -
12-20-2013 09:36:24.224 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:24.224 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Detected connection to 192.168.1.40:9997 closed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Will close stream to current indexer 192.168.1.40:9997
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Closing stream for idx=192.168.1.40:9997
12-20-2013 09:36:25.684 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:25.684 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed
12-20-2013 09:36:31.366 +0530 INFO TcpOutputProc - Connection to 192.168.1.40:9997 closed. Connection closed by server.
The indexer on the server is receiving data on 9997 (As the port is open) but there is no data transfer
Please let me know what i am doing wrong. I am a production 20 GB limit licensed user for Splunk
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solved it, thanks - index = main solved it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept to close this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you may be having a problem with the connnectionhost config. See this answer for more details.
http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer
Basically, it says you should try adding this to your indexer:
Etc/system/local/inputs.conf
[splunktcp://9997]
connection_host = none
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
