Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changes to forwarder->indexer connectivity in 6.3.0?

emiller42
Motivator
‎09-24-2015 03:14 PM

Hello! I've upgraded my test environments to Splunk 6.3, and I'm noticing that my forwarders have begun throwing the following warnings in splunkd.log:

WARN  DistributedPeerManagerHeartbeat - Unable to get server info from peer: http://<IP OF INDEXER>:8089 due to: Connect Timeout; exceeded 10000 milliseconds

Now, I'm not sure why my forwarders are attempting to reach the management port on my indexers in the first place. These environments do not use index clustering, so the only port open between the two is 9997 for forwarding data. Is there some new functionality that needs the indexer management port to be accessible to the forwarder?

I'm not noticing any gaps in indexed data, so there doesn't appear to be any appreciable impact. But the warnings are concerning.

Reply
1 Solution
Solved! Jump to solution
Solution

amathew_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 11:31 AM

Is the indexer set to be a distributed search peer of the forwarder ? On a pure forwarder (as against a search head that's forwarding it's internal logs ) distsearch.conf shouldn't be listing any search peers.

View solution in original post

Reply
Solved! Jump to solution
Solution

amathew_splunk
Splunk Employee
Splunk Employee
‎09-25-2015 11:31 AM

Is the indexer set to be a distributed search peer of the forwarder ? On a pure forwarder (as against a search head that's forwarding it's internal logs ) distsearch.conf shouldn't be listing any search peers.

Reply
Solved! Jump to solution

emiller42
Motivator
‎09-25-2015 12:58 PM

Aha, there's a distsearch.conf file on the forwarder for some reason. It's got an old modtime, so assuming it's something leftover from botched automation. I'll get it fixed. Thank you!!

0 Karma
Reply
Solved! Jump to solution

ashleyherbert
Communicator
‎09-24-2015 10:22 PM

I haven't tried out the 6.3 forwarder yet, but my best bet would be that it is trying to connect to the cluster master. There is a new feature called 'Indexer Auto-Discovery' which connects to the cluster master to determine which indexers are available. See here: http://docs.splunk.com/Documentation/Splunk/6.3.0/Indexer/indexerdiscovery

Could that be turned on by default?

0 Karma
Reply
Solved! Jump to solution

emiller42
Motivator
‎09-25-2015 08:40 AM

It looks like you have to explicitly configure the forwarder to tell it where to go for indexer discovery. Since I haven't set that up, (There is no [indexer_discovery:$foo] stanza on the forwarder) I would be very surprised if it was just trying to reach out to an indexer for that info.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...