Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- 9998 port to open
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vikram_m
Path Finder
04-03-2017
07:06 AM
Port on the server and the network seems open for 9998 port for indexers to receive data but only 1 out of the 3 indexer is able to get data from forwarder service.
Is there anything on the console I need to ensure that 9998 port is open and Splunk can receive data from forwarders.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-03-2017
07:21 AM
Must not be blocked by firewall on either end. Must be route from forwarder to Indexer. ACL must be OK. Forwarder's outputs.conf must have all 3 Indexers defined. All Indexers must have the same inputs.conf settings. Try splunk list inputstatus on each Indexer and compare.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-03-2017
07:21 AM
Must not be blocked by firewall on either end. Must be route from forwarder to Indexer. ACL must be OK. Forwarder's outputs.conf must have all 3 Indexers defined. All Indexers must have the same inputs.conf settings. Try splunk list inputstatus on each Indexer and compare.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vikram_m
Path Finder
04-04-2017
03:23 AM
Thanks Woodcock
It seems you have a solution for me....I fired the command on all the 3 indexers we have and only one server showed below result.
tcp_cooked:listenerports :
9997
9998
Else for this other 2 indexer in cluster show
tcp_cooked:listenerports :
9997
Now please suggest where is the setting from where I can get the 9998 port opened.
Thanks a lot for the initial finding help.
Thanks.
Vikram.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-04-2017
06:36 AM
Yes you can add another listening port by either:
a) Using the GUI by going to Settings -> Data Inputs -> TCP -> New
b) Using the command-line command, ./splunk enable listen 9998 -auth admin:change me # Needs option for SSL
c) editing the inputs.conf file and adding a new stanza like this:
[splunktcp-ssl:9998]
compressed = true
See this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata
Regarding SSL encryption, you need to decide whether you want to use your own certificates or the ones supplied by Splunk. I suggest you read this:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwa...
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
