Getting Data In

Communication failing between forwarder and receiver

Path Finder

My new forwarder appears not to be talking to the configured indexer(s)

[tcpout]
defaultGroup = splunk1_9997_splunk2_9997
disabled = false
indexAndForward = 0

[tcpout:splunk1_9997_splunk2_9997]
autoLB = true
server = splunk1:9997,splunk2:9997

I have another forwarder with an identical outputs.conf and that works fine.

Inputs.conf on the indexers looks like:
[splunktcp://10.1.2.1:9997]

On the forwarder

03-16-2012 14:20:24.902 +1000 INFO  TcpOutputProc - Connected to idx=10.1.2.3:9997
03-16-2012 14:20:24.902 +1000 INFO  TcpOutputProc - Connection to 10.1.2.3:9997 closed. Connection closed by server.
03-16-2012 14:20:24.903 +1000 WARN  TcpOutputProc - Applying quarantine to idx=10.1.2.3:9997 numberOfFailures=2
03-16-2012 14:20:24.903 +1000 INFO  TcpOutputProc - Connected to idx=10.1.2.3:9997
03-16-2012 14:20:24.904 +1000 INFO  TcpOutputProc - Connection to 10.1.2.3:9997 closed. Connection closed by server.
03-16-2012 14:20:24.904 +1000 WARN  TcpOutputProc - Applying quarantine to idx=10.1.2.3:9997 numberOfFailures=3

On the indexer

03-16-2012 14:20:24.903 +1000 INFO  TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.903 +1000 WARN  TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.903 +1000 INFO  TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.903 +1000 WARN  TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.904 +1000 INFO  TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.904 +1000 WARN  TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.904 +1000 INFO  TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.904 +1000 WARN  TcpInputProc - Could not find matching host.

What matching config is it looking for? Connectivity is definitely fine.

Updated Corrected inputs.conf to outputs.conf, added indexer inputs.conf as per Kristian's comment

Tags (2)
0 Karma
1 Solution

Path Finder

I was misunderstanding the [splunktcp://ipaddress:port] configuration.
I thought the ipaddress was localhost, but it's actually remoteserver (forwarders that are allowed to connect).

Adding the new forwarders to inputs.conf fixes this issue. Thanks to Kristian for helping me look in the right direction.

View solution in original post

0 Karma

Path Finder

I was misunderstanding the [splunktcp://ipaddress:port] configuration.
I thought the ipaddress was localhost, but it's actually remoteserver (forwarders that are allowed to connect).

Adding the new forwarders to inputs.conf fixes this issue. Thanks to Kristian for helping me look in the right direction.

View solution in original post

0 Karma

Ultra Champion

you're welcome. /K

0 Karma

Ultra Champion

Could you please post the inputs.conf files for the indexers.

Also, you said that other forwarders had the same INPUTS.CONF, but surely you mean OUTPUTS.CONF, right?

/k