Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Cannot see host on the Splunk server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot see host on the Splunk server
I need help on my Splunk server. I cannot see the host the splunk server.
here is what my setup went:
1) install full splunk on server1. Installed *nix app and verified that it is collecting data.
2) install full splunk on server2. Installed *nix app and verified that it is collecting data.
3) configure receiving on splunk server1 to port 9997.
4) Enabled forwarding on server2.
cd /opt/splunk/bin
./splunk start
./splunk enable app SplunkLightForwarder
./splunk restart
./splunk add forward-server :9997
./splunk restart
5) Opened splunk server1 web but did not see server2.
Please advise, I appreciate your help ,thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Triptrops,
In your step above: "./splunk add forward-server :9997", what is the name/address of the receiving host (i.e. server1) that server2 should use? Note: That IP should go before the :9997.
When you run $SPLUNK_HOME/bin/splunk help add, you will see this example in the output:
./splunk add forward-server bologna:9997
In this case, the system bologna is the receiving host.
Set this correctly, and it will probably work.
Also, as a side note, if you are going to use the SplunkLightForwarder, you will probably be better off using the Splunk Universal Forwarder (a different installation package).
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I enabled the Splunk Universal Forwarder but still the splunk server cannot see it. Am I missing some steps?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sean for your immediate response. Actually it was a typographical error.
I did execute this line as:
./splunk add forward-server server1.domain.com:9997
I still cannot see the host.
By the way, what is the difference between the light and the universal forwarder.
Thanks
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
