Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Clear indexing data on Splunk Indexer impact to Splunk forwarder lost connection to Splunk Indexer.

thomson12
New Member
‎09-20-2012 03:20 AM

Hi Splunk Support,

I have encounter the issue on Splunk Forwarder have lost connection to Splunk Indexer after clean indexing data on Splunk Indexer.

Scenario: I have cleaned indexing data on Splunk Indexer and check on Splunk Forwarder by command [~/bin/splunk list forward-server -auth username:password]

Result: Splunk Forwarder lost connection as below.
root@env # ~/bin/splunk list forward-server -auth username:password

Active Splunk-2-Splunk Forwards:

    Splunk_Indexer01:9997

Configured but inactive Splunk-2-Splunk Forwards:

    Splunk_Indexer02:9997

Please help. Thank you.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-20-2012 03:23 PM

The splunk clean eventdata -index ##someidex### -f command is a stop the world event requiring you to stop and start splunkd.

Are you using the auto-load-balance feature on your fowarders? When the splunkd service starts responding the fowarder should pickit up on the next interval.

[tcpout]

[tcpout-server://server1:9997]
[tcpout-server://server2:9997]
[tcpout-server://server3:9997]

[tcpout:default-autolb-group]
autoLB = true
disabled = false
autoLBFrequency = 45
maxFailuresPerInterval = 3
secsInFailureInterval = 2
connectionTimeout = 10

server = server1:9997,server2:9997, server3:9997

View solution in original post

0 Karma
Reply
Solved! Jump to solution

thomson12
New Member
‎09-20-2012 07:25 PM

Thanks for advise, I found this message from Splunk forum "Running splunk list forward-server lists one of the servers under "Configured but inactive forwards:", but it is forwarding. (SPL-35461)" I was POC with my environment. Command "~/bin/splunk list forward-server -auth username:password" will display some Indexer inactive "Configured but inactive Splunk-2-Splunk Forwards" but forwarder still forwarding data to that server when I verify time from Search apps.

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎09-20-2012 03:23 PM

The splunk clean eventdata -index ##someidex### -f command is a stop the world event requiring you to stop and start splunkd.

Are you using the auto-load-balance feature on your fowarders? When the splunkd service starts responding the fowarder should pickit up on the next interval.

[tcpout]

[tcpout-server://server1:9997]
[tcpout-server://server2:9997]
[tcpout-server://server3:9997]

[tcpout:default-autolb-group]
autoLB = true
disabled = false
autoLBFrequency = 45
maxFailuresPerInterval = 3
secsInFailureInterval = 2
connectionTimeout = 10

server = server1:9997,server2:9997, server3:9997

0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎09-20-2012 02:47 PM

What does the TcpOutputProc component of splunkd in your splunkd.log show is happening with outgoing connections to the indexers? You should see some type of information on connections to both indexers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...