forwarder data transfer not working

chirag3pillar · ‎12-20-2013

I have set up an indexer and a forwwarder

On forwarder, the logs are -

12-20-2013 09:36:24.224 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:24.224 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Detected connection to 192.168.1.40:9997 closed
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Will close stream to current indexer 192.168.1.40:9997
12-20-2013 09:36:24.224 +0530 INFO TcpOutputProc - Closing stream for idx=192.168.1.40:9997
12-20-2013 09:36:25.684 +0530 WARN TcpOutputFd - Connect to 192.168.1.40:9997 failed. No connection could be made because the target machine actively refused it.
12-20-2013 09:36:25.684 +0530 ERROR TcpOutputFd - Connection to host=192.168.1.40:9997 failed

12-20-2013 09:36:31.366 +0530 INFO TcpOutputProc - Connection to 192.168.1.40:9997 closed. Connection closed by server.

The indexer on the server is receiving data on 9997 (As the port is open) but there is no data transfer

Please let me know what i am doing wrong. I am a production 20 GB limit licensed user for Splunk

Thanks

chirag3pillar · ‎12-20-2013

solved it, thanks - index = main solved it

woodcock · ‎10-25-2017

You should click Accept to close this question.

lukejadamec · ‎12-20-2013

It sounds like you may be having a problem with the connnectionhost config. See this answer for more details.

http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer

Basically, it says you should try adding this to your indexer:

    Etc/system/local/inputs.conf

    [splunktcp://9997] 
connection_host = none