Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Configuring Input stanza for forwarder

rajindersingh
Explorer
‎05-08-2015 09:30 PM

I used this command to configure splunk forwarder using cli

splunk add monitor d:\logs -Follow-only True

I got no errors but I don't see any changes in my input.conf

I tried add the monitor again and I got a message that monitor is already present.

I can telnet from my forwarder vm to splunk vm over port 9997 and 8089

In my splunkd log file

05-09-2015 04:18:29.694 +0000 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
05-09-2015 04:18:59.702 +0000 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
05-09-2015 04:19:29.708 +0000 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
05-09-2015 04:19:38.075 +0000 WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 9400 seconds.
05-09-2015 04:19:59.720 +0000 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.

I know that firewall on my splunk server allows connections over port 8089 and 9997.

Do I have to configure outgoing firewall on the server running splunk forwarder?

Thanks

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 06:54 AM

Port 8089 is the management port for Splunkd.

You should be forwarding to the Splunkinput port configured on your indexer. Typically this is TCP9997.

Update your outputs to that, and should resolve your issue.

View solution in original post

Reply
Solved! Jump to solution

rajindersingh
Explorer
‎05-09-2015 07:19 AM

Thanks esix_splunk

rookie mistake.

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 06:54 AM

Port 8089 is the management port for Splunkd.

You should be forwarding to the Splunkinput port configured on your indexer. Typically this is TCP9997.

Update your outputs to that, and should resolve your issue.

Reply
Solved! Jump to solution

rajindersingh
Explorer
‎05-09-2015 06:42 AM

Output.conf was configured by the splunk universal forwareder installer.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.0.37:8089

[tcpout-server://10.0.0.37:8089]

This server is up and running. It allows firewall traffic over 8089 and 9997.

Any other suggestions?

Thanks

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 02:13 AM

You also need to have an outputs.conf configured on your forwarder. This lets the UF know where it should send the data collected in the inputs.conf to.

In your case, the outputs.conf should point to your indexer.

See : http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaforwarder

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...