Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Configured but Inactive Forwards, inspite of r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smk54
New Member
05-25-2015
03:37 AM
Hello
I am trying to configure a forwarder between a Linux Machine and a Windows machine. My Splunk is installed on the windows and the forwarder on Linux. I need to establish a connection between both so as to monitor the syslogs.
I have followed all the steps mentioned in "http://answers.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux.html" to configure the forwarder. But when i try to list the forwards, it says
Configured but inactive forwards:
137.254.237.30:9997
(the ip of my windows machine:port)
By doing more research I came to know that this could a firewall issue. I restarted the Windows firewall and added this port as an Inbound Rule for Splunk. But still, the forwarder is inactive.
Please help me out on this.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
miteshvohra
Contributor
05-25-2015
04:12 AM
There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.
Try generating some events or run this eventgen to produce random samples, and then check the status.
Regards, Mitesh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
miteshvohra
Contributor
05-25-2015
04:12 AM
There is a high possibility that the data you wish to forward is already sent and there is no more new data to be sent.
Try generating some events or run this eventgen to produce random samples, and then check the status.
Regards, Mitesh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Herman
Explorer
03-24-2021
10:16 AM
But what about universal forwarder? Could you install eventgen add on for universal forwarder? I have tried but no luck.
Have looked through several posts and checked everything, still having the forwards inactive.
Any help appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smk54
New Member
05-25-2015
06:34 AM
Thanks a lot mitesh 🙂
I guess its a bug in version 5.0.4. The data had already been forwarded, however, the forward was still shown as inactive.
I would like to know one more thing. How can we remove the inactive forwards from that list in Linux? I deleted all the saved ones through the Splunk Web. But, the list is still appearing in Linux.
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
