Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Communication failing between forwarder and receiv...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My new forwarder appears not to be talking to the configured indexer(s)
[tcpout]
defaultGroup = splunk1_9997_splunk2_9997
disabled = false
indexAndForward = 0
[tcpout:splunk1_9997_splunk2_9997]
autoLB = true
server = splunk1:9997,splunk2:9997
I have another forwarder with an identical outputs.conf and that works fine.
Inputs.conf on the indexers looks like:
[splunktcp://10.1.2.1:9997]
On the forwarder
03-16-2012 14:20:24.902 +1000 INFO TcpOutputProc - Connected to idx=10.1.2.3:9997
03-16-2012 14:20:24.902 +1000 INFO TcpOutputProc - Connection to 10.1.2.3:9997 closed. Connection closed by server.
03-16-2012 14:20:24.903 +1000 WARN TcpOutputProc - Applying quarantine to idx=10.1.2.3:9997 numberOfFailures=2
03-16-2012 14:20:24.903 +1000 INFO TcpOutputProc - Connected to idx=10.1.2.3:9997
03-16-2012 14:20:24.904 +1000 INFO TcpOutputProc - Connection to 10.1.2.3:9997 closed. Connection closed by server.
03-16-2012 14:20:24.904 +1000 WARN TcpOutputProc - Applying quarantine to idx=10.1.2.3:9997 numberOfFailures=3
On the indexer
03-16-2012 14:20:24.903 +1000 INFO TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.903 +1000 WARN TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.903 +1000 INFO TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.903 +1000 WARN TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.904 +1000 INFO TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.904 +1000 WARN TcpInputProc - Could not find matching host.
03-16-2012 14:20:24.904 +1000 INFO TcpInputProc - No matching config for 10.1.2.4
03-16-2012 14:20:24.904 +1000 WARN TcpInputProc - Could not find matching host.
What matching config is it looking for? Connectivity is definitely fine.
Updated Corrected inputs.conf to outputs.conf, added indexer inputs.conf as per Kristian's comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was misunderstanding the [splunktcp://ipaddress:port] configuration.
I thought the ipaddress was localhost, but it's actually remoteserver (forwarders that are allowed to connect).
Adding the new forwarders to inputs.conf fixes this issue. Thanks to Kristian for helping me look in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was misunderstanding the [splunktcp://ipaddress:port] configuration.
I thought the ipaddress was localhost, but it's actually remoteserver (forwarders that are allowed to connect).
Adding the new forwarders to inputs.conf fixes this issue. Thanks to Kristian for helping me look in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome. /K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please post the inputs.conf files for the indexers.
Also, you said that other forwarders had the same INPUTS.CONF, but surely you mean OUTPUTS.CONF, right?
/k
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
