Getting Data In

Connection issues: when I created a new indexer, our data is not showing up.

Path Finder

There are a couple of indexes in inputs.conf.

I just added a new index with a new port. All other indexes are working fine and servers can send data to indexes. The problem is with the newly added one. When I do telnet from universal forwarder to indexer, all other ones are establishing a connection, but I can't establish a connection to the new one.

Am I missing something here? Can someone figure out where the problem is?

Thanks a lot in advance.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

View solution in original post

0 Karma

Ultra Champion

The following can help I can't find my data!

0 Karma

SplunkTrust
SplunkTrust

Check on the indexer if to port is open (assuming *nix so use `netstat -an | grep )
Check if there is a local firewall blocking the new port on the indexer
Check if any other firewall is blocking the connection from your uf to the idx

cheers, MuS

0 Karma

Path Finder

@MuS Thanks for comment, Source and dest servers are connected locally. When created last indexes i did not open any port, But connections went well. The port number i am using is not open but i heard from network guys like when i get data on that port it should be fine.

0 Karma

SplunkTrust
SplunkTrust

I quite don't get it want you are saying here ¯\_(ツ)_/¯

First you say you cannot connect, then the servers are connected locally but no port open?

So, does it work now or not?

0 Karma

Path Finder

Sorry for confusion, Out of 9 indexes one is not working, did same configuration for all. all indexes are having different ports [6581-6590]. No firewall for these servers(contacted with network team).

0 Karma