Getting Data In

Connection issues: when I created a new indexer, our data is not showing up.

snallam123
Path Finder

There are a couple of indexes in inputs.conf.

I just added a new index with a new port. All other indexes are working fine and servers can send data to indexes. The problem is with the newly added one. When I do telnet from universal forwarder to indexer, all other ones are establishing a connection, but I can't establish a connection to the new one.

Am I missing something here? Can someone figure out where the problem is?

Thanks a lot in advance.

0 Karma
1 Solution

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

View solution in original post

0 Karma

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

0 Karma

ddrillic
Ultra Champion

The following can help I can't find my data!

0 Karma

MuS
SplunkTrust
SplunkTrust

Check on the indexer if to port is open (assuming *nix so use `netstat -an | grep )
Check if there is a local firewall blocking the new port on the indexer
Check if any other firewall is blocking the connection from your uf to the idx

cheers, MuS

0 Karma

snallam123
Path Finder

@MuS Thanks for comment, Source and dest servers are connected locally. When created last indexes i did not open any port, But connections went well. The port number i am using is not open but i heard from network guys like when i get data on that port it should be fine.

0 Karma

MuS
SplunkTrust
SplunkTrust

I quite don't get it want you are saying here ¯\_(ツ)_/¯

First you say you cannot connect, then the servers are connected locally but no port open?

So, does it work now or not?

0 Karma

snallam123
Path Finder

Sorry for confusion, Out of 9 indexes one is not working, did same configuration for all. all indexes are having different ports [6581-6590]. No firewall for these servers(contacted with network team).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...