Getting Data In

Can the Forwarder management app start Splunk forwarders?

Ultra Champion

The Admin study guide mentions that the Forwarder management app can restart forwarders. Is it possible to start from the Forwarder management app forwarders which are down?

I'm looking at the *Phone Home: Later than expected * tab (6.5.2) and see two forwarders. It doesn't seem that I can start them from here..

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

No, you currently cant start instances that are stopped. You only have the ability to push an app that causes the Forwarder to restart.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

No, you currently cant start instances that are stopped. You only have the ability to push an app that causes the Forwarder to restart.

View solution in original post

0 Karma

Contributor

Just to address ddrillic’s questions:

If the forwarders are actively phoning home, then the forwarder service is probably running. If you have an entry in your forwarder management app where the forwarder is showing up, but you suspect the service isn’t running, delete the record and allow it to phone home again to verify. Now, I have run into a weird case where the forwarder was running, and phoning home, but was in an errored state and not forwarding logs (this was on Windows), and I had to restart it to get it forward data again.

If the forwarder service is not running, you will not be able to push an app to it.

Forwarder management does have the option to restart a forwarder, but only after a successful installation of an app, not manually. You can either use the GUI in the forwarder management app to check the “Restart Splunkd” or edit your serverclass.conf file with restartSplunkd = true

If a forwarder is down (as in the service is not running), you don’t necessarily have to log into the server to restart it. You could either do it remotely via a management application (like SCCM for Windows or set it up with something like Puppet for Linux), a remote script, or create a scheduled task with a local script to check the status of the service, and restart it if it is down (Windows) or set up a cron job with something like a bash or python script to query the status and restart and/or start it if it is down.

Ultra Champion

Just to be clear - if a forwarder is down, we must get on the server in order to start it, right?

0 Karma

Ultra Champion

@esix_splunk - it's not totally clear - if the forwarder isn’t running, how can you push an app to it?

0 Karma

Splunk Employee
Splunk Employee

You cannot push an app via Splunk, if the forwarder isnt :

1) Running
2) Current has a deploymentclient.conf file installed and pointing to your deployment server
3) On the deploymentserver, isnt configured as a member of any serverclasses

To elaborate more on running.. this means the UF/HF needs to be in an running state and have network connectivity to the Deployment Server.

Ultra Champion

Much appreciated!!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!