Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Universal Forwarder will not activate

johnnyp74
Observer
‎12-03-2024 07:46 AM

I have installed and configured my Universal forwarder, however while it starts it remains inactive:

Active forwards:
None

Configured but inactive forwards:
10.###.##.##:9997

I have validated that I am using the correct ip address, and that I can ping the indexer from the forwarder,  and that port 9997 is not blocked.  So at this point Im just not sure how to resolve this?  Any assistance would be appreciated.

Thanks!

0 Karma
Reply

zksvc
Contributor
‎04-28-2025 01:44 AM

Have you made sure port 9997 is enabled on Receive Data?

You can go to "Settings -> Forwarding And Receiving -> Receive data -> +Add new"

zksvc_1-1745829865488.png

 

 

0 Karma
Reply

khj
Explorer
‎04-17-2025 06:36 PM

1. Make sure the UF is operating normally.
$SPLUNK_HOME/bin/splunk status
There should be no message other than the phrase is running.

2. Make sure that the log path you set in inputs.conf has a log

3. Make sure the inputs.conf settings are set correctly
If you set the index, the index must be created in the indexer.

4. Check the UI of the indexer to see if the data is in.
This method is more intuitive than checking with the inputs status of the cli.

5. Search index=_internal and search UF's IP to see if there are any problems

Karma if this has helped!

Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎12-03-2024 08:15 AM

Hi @johnnyp74 

have you restarted splunk service after updating outputs.conf 

and as you mentioned you did ping to check connectivity 

however have you did telent on port 9997 to indexer?

telnet <indexerip> 9997 

in Splunkd.log have you seen any error messages, certainly splunkd.log messages help  to troubleshoot further   




0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...