Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder will not activate

johnnyp74
Observer
‎12-03-2024 07:46 AM

I have installed and configured my Universal forwarder, however while it starts it remains inactive:

Active forwards:
None

Configured but inactive forwards:
10.###.##.##:9997

I have validated that I am using the correct ip address, and that I can ping the indexer from the forwarder,  and that port 9997 is not blocked.  So at this point Im just not sure how to resolve this?  Any assistance would be appreciated.

Thanks!

0 Karma
Reply

zksvc
Contributor
‎04-28-2025 01:44 AM

Have you made sure port 9997 is enabled on Receive Data?

You can go to "Settings -> Forwarding And Receiving -> Receive data -> +Add new"

zksvc_1-1745829865488.png

 

 

0 Karma
Reply

khj
Explorer
‎04-17-2025 06:36 PM

1. Make sure the UF is operating normally.
$SPLUNK_HOME/bin/splunk status
There should be no message other than the phrase is running.

2. Make sure that the log path you set in inputs.conf has a log

3. Make sure the inputs.conf settings are set correctly
If you set the index, the index must be created in the indexer.

4. Check the UI of the indexer to see if the data is in.
This method is more intuitive than checking with the inputs status of the cli.

5. Search index=_internal and search UF's IP to see if there are any problems

Karma if this has helped!

Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎12-03-2024 08:15 AM

Hi @johnnyp74 

have you restarted splunk service after updating outputs.conf 

and as you mentioned you did ping to check connectivity 

however have you did telent on port 9997 to indexer?

telnet <indexerip> 9997 

in Splunkd.log have you seen any error messages, certainly splunkd.log messages help  to troubleshoot further   




0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...