Following situation (Version 4.2.3) :
Universal Forwarder (no GUI) sends data to Heavy Forwarder
Heavy Forwarder (GUI) sends data to Indexer (GUI)
This all works just perfect (here status Universal Forwarder & Heavy Forwarder)
Universal Forwarder connected to Heavy Forwarder
09-22-2011 17:03:44.293 +0200 INFO TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:25000
Commands Heavy Forwarder
$ splunk display app SplunkLightForwarder SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE $ splunk display app SplunkForwarder SplunkForwarder UNCONFIGURED ENABLED INVISIBLE
Now the problem: If I enable light forwarding via GUI on the Heavy Forwarder, somehow my Universal Forwarder cannot connect to the ex-Heavy Forwarder anymore!
Commands again on Heavy Forwarder (now Light Forwarder -> no GUI)
$ splunk display app SplunkLightForwarder SplunkLightForwarder UNCONFIGURED ENABLED INVISIBLE $ splunk display app SplunkForwarder SplunkForwarder UNCONFIGURED ENABLED INVISIBLE
Universal Forwarder not connected anymore
09-22-2011 17:18:44.330 +0200 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:25000 failed
Is this a bug/feature not using the GUI to make a light forwarder out of a heavy forwarder?
You should be able to convert a heavy forwarder to a light forwarder. I personally have several light forwarders forwarding to forwarders who then send to indexers. In a couple instances i have light forwarders sending to universal forwarders who then send to indexers.
On the light forwarder, are you listening splunktcp on the port configured for forwarding?
I basically disabled all apps:
splunk disable app <appname> (even
SplunkForwarder & SplunkLightForwarder) Note: Somehow, I couldn't disable eg. the
splunk btool [inputs|outputs] list --debug, I could see paramaters Splunk's using while running. I noticed the search app's beeing used with a no-good
inputs.conf file for me - so I removed that
inputs.conf, since I couldn't disable the app itself.
$SPLUNK_HOME/etc/system/local, I edited
inputs.conf & outputs.confas followed:
[tcpout] defaultGroup = indexserver.com_25000 disabled = false indexAndForward = 0 [tcpout:indexserver.com_25000] autoLB = true server = indexserver.com:25000