Getting Data In

Forwarder not starting

ramprakash
Explorer

I have forwarder down since past two months, when i brought it up it generated errors.

No Splunkd logs have been created. I understand that Ulimit is not set as per Splunk documentation but it should start at least.
If someone can let me know what is the possible issue of Forwarder not starting.

Checking prerequisites...
WARNING: Data segment size limit (ulimit -d) is set low (134217728 bytes) Splunk may not work.
You may want to run "ulimit -d unlimited" before starting splunk.
WARNING: Resident memory size limit (ulimit -m) is set low (33554432 bytes) Splunk may not work.
You may want to run "ulimit -m unlimited" before starting splunk.
WARNING: File size limit (ulimit -f) is set low (1073741312 bytes) Splunk may not work.
You may want to run "ulimit -f unlimited" before starting splunk.
Checking mgmt port [8089]: open
Assertion failed: _linkp == nullptr, file /home/build/build-src/orangeswirl/src/util/TimeoutHeap.cpp, line 46
Dying on signal #6 (si_code=0), sent by PID 0 (UID 0). Attempting to clean up pidfile
ERROR: pid 5702028 terminated with signal 6
SSL certificate generation failed.

0 Karma

jimmytpowers
Path Finder

Hello,

Save a copy of inputs.conf from the current instance, re-install the forwarder and place the saved copy of inputs.conf in the correct directory.

I would also adjust the Ulimits to the recommended settings.

Cheers,

0 Karma

ramprakash
Explorer

Thanks for the suggestion. Can i install Splunk on some other directory and copy all the configurations?

0 Karma

jimmytpowers
Path Finder

Yes, and you can delete the old forwarder directory once you apply all the old configs to the new, and get the data forwarding to indexers.

0 Karma

ramprakash
Explorer

Thanks much i will do it and update you if it works..

Meanwhile i have some doubt on server.conf of old forwarder. This forwarder was installed by someone else and it has sslPassword stanza with some values. How can we get this value or it geneartes automatically when we install forwarder.

0 Karma

jimmytpowers
Path Finder

It can generate certs by default, and they expire after 3 years.

https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Aboutsecuringdatafromforwarders

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...