- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Enable light forwarding stopping forwarding
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following situation (Version 4.2.3) :
- Universal Forwarder (no GUI) sends data to Heavy Forwarder
- Heavy Forwarder (GUI) sends data to Indexer (GUI)
This all works just perfect (here status Universal Forwarder & Heavy Forwarder)
Universal Forwarder connected to Heavy Forwarder
09-22-2011 17:03:44.293 +0200 INFO TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:25000
Commands Heavy Forwarder
$ splunk display app SplunkLightForwarder
SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE
$ splunk display app SplunkForwarder
SplunkForwarder UNCONFIGURED ENABLED INVISIBLE
Now the problem: If I enable light forwarding via GUI on the Heavy Forwarder, somehow my Universal Forwarder cannot connect to the ex-Heavy Forwarder anymore!
Commands again on Heavy Forwarder (now Light Forwarder -> no GUI)
$ splunk display app SplunkLightForwarder
SplunkLightForwarder UNCONFIGURED ENABLED INVISIBLE
$ splunk display app SplunkForwarder
SplunkForwarder UNCONFIGURED ENABLED INVISIBLE
Universal Forwarder not connected anymore
09-22-2011 17:18:44.330 +0200 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:25000 failed
Is this a bug/feature not using the GUI to make a light forwarder out of a heavy forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I basically disabled all apps: splunk disable app <appname> (even SplunkForwarder & SplunkLightForwarder) Note: Somehow, I couldn't disable eg. the search app!
With command splunk btool [inputs|outputs] list --debug, I could see paramaters Splunk's using while running. I noticed the search app's beeing used with a no-good inputs.conf file for me - so I removed that inputs.conf, since I couldn't disable the app itself.
Furher, in $SPLUNK_HOME/etc/system/local, I edited inputs.conf & outputs.confas followed:
inputs.conf
[splunktcp://:25000]
outputs.conf
[tcpout]
defaultGroup = indexserver.com_25000
disabled = false
indexAndForward = 0
[tcpout:indexserver.com_25000]
autoLB = true
server = indexserver.com:25000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I basically disabled all apps: splunk disable app <appname> (even SplunkForwarder & SplunkLightForwarder) Note: Somehow, I couldn't disable eg. the search app!
With command splunk btool [inputs|outputs] list --debug, I could see paramaters Splunk's using while running. I noticed the search app's beeing used with a no-good inputs.conf file for me - so I removed that inputs.conf, since I couldn't disable the app itself.
Furher, in $SPLUNK_HOME/etc/system/local, I edited inputs.conf & outputs.confas followed:
inputs.conf
[splunktcp://:25000]
outputs.conf
[tcpout]
defaultGroup = indexserver.com_25000
disabled = false
indexAndForward = 0
[tcpout:indexserver.com_25000]
autoLB = true
server = indexserver.com:25000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to convert a heavy forwarder to a light forwarder. I personally have several light forwarders forwarding to forwarders who then send to indexers. In a couple instances i have light forwarders sending to universal forwarders who then send to indexers.
On the light forwarder, are you listening splunktcp on the port configured for forwarding?
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
