Configured but inactive forwards

julian0125 · ‎07-08-2019

Hello Splunkers!

i'm in doubt, i have installed UF on windows server but when i list forward-server it says that there are no active fordware but is configurated, on port 9997 and also de deploy with 8088. What issue do you think it is? is there a way to active the forwarder?

Thanks

gcusello · ‎07-08-2019

Hi julian0125,
did you checked if the connection ports are open? you can check them using telnet.
then, you can check in forwarder's logs ($SPLUNK_HOME/var/log/splunk/) if the connection is established.
At least check if the forwarder is active, you can check the process (ps -eafd) searching for splunkd process.
If you find that the process is active and ports are open, check if the servername is correct ($SPLUNK_HOME/etc/system/local/server.conf e $SPLUNK_HOME/etc/system/local/inputs.conf).

You can see at https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Troubleshoottheuniversalforwarder or https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Receiverconnection

Bye.
Giuseppe

natalienguyen · ‎07-08-2019

Did you restart your splunkforwarder service after the configuration?

ddrillic · ‎07-08-2019

Yup - you need to start it, probably as a service.

Configured but inactive forwards

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update