Getting Data In

Connection issues: when I created a new indexer, our data is not showing up.

snallam123
Path Finder

There are a couple of indexes in inputs.conf.

I just added a new index with a new port. All other indexes are working fine and servers can send data to indexes. The problem is with the newly added one. When I do telnet from universal forwarder to indexer, all other ones are establishing a connection, but I can't establish a connection to the new one.

Am I missing something here? Can someone figure out where the problem is?

Thanks a lot in advance.

0 Karma
1 Solution

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

View solution in original post

0 Karma

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

0 Karma

ddrillic
Ultra Champion

The following can help I can't find my data!

0 Karma

MuS
SplunkTrust
SplunkTrust

Check on the indexer if to port is open (assuming *nix so use `netstat -an | grep )
Check if there is a local firewall blocking the new port on the indexer
Check if any other firewall is blocking the connection from your uf to the idx

cheers, MuS

0 Karma

snallam123
Path Finder

@MuS Thanks for comment, Source and dest servers are connected locally. When created last indexes i did not open any port, But connections went well. The port number i am using is not open but i heard from network guys like when i get data on that port it should be fine.

0 Karma

MuS
SplunkTrust
SplunkTrust

I quite don't get it want you are saying here ¯\_(ツ)_/¯

First you say you cannot connect, then the servers are connected locally but no port open?

So, does it work now or not?

0 Karma

snallam123
Path Finder

Sorry for confusion, Out of 9 indexes one is not working, did same configuration for all. all indexes are having different ports [6581-6590]. No firewall for these servers(contacted with network team).

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...