Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder will not activate

johnnyp74
Observer
‎12-03-2024 07:46 AM

I have installed and configured my Universal forwarder, however while it starts it remains inactive:

Active forwards:
None

Configured but inactive forwards:
10.###.##.##:9997

I have validated that I am using the correct ip address, and that I can ping the indexer from the forwarder,  and that port 9997 is not blocked.  So at this point Im just not sure how to resolve this?  Any assistance would be appreciated.

Thanks!

0 Karma
Reply

zksvc
Contributor
‎04-28-2025 01:44 AM

Have you made sure port 9997 is enabled on Receive Data?

You can go to "Settings -> Forwarding And Receiving -> Receive data -> +Add new"

zksvc_1-1745829865488.png

 

 

0 Karma
Reply

khj
Explorer
‎04-17-2025 06:36 PM

1. Make sure the UF is operating normally.
$SPLUNK_HOME/bin/splunk status
There should be no message other than the phrase is running.

2. Make sure that the log path you set in inputs.conf has a log

3. Make sure the inputs.conf settings are set correctly
If you set the index, the index must be created in the indexer.

4. Check the UI of the indexer to see if the data is in.
This method is more intuitive than checking with the inputs status of the cli.

5. Search index=_internal and search UF's IP to see if there are any problems

Karma if this has helped!

Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎12-03-2024 08:15 AM

Hi @johnnyp74 

have you restarted splunk service after updating outputs.conf 

and as you mentioned you did ping to check connectivity 

however have you did telent on port 9997 to indexer?

telnet <indexerip> 9997 

in Splunkd.log have you seen any error messages, certainly splunkd.log messages help  to troubleshoot further   




0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...