Getting Data In

How do I troubleshoot Splunk Universal Forwarder communication issues?

qygoh
Engager

I'm facing 1 issue when try to install a Splunk universal forwarder in one of my job sites. Every time when I change its connection to 127.0.0.1 51112, it will fail after 3 minutes of waiting and reset the connection again. Therefore, data at my client site can't send to my server. Anyone of you encounter this issue before? Do you mind sharing your solution so I can resolve it?I able to telnet it and also splunk list forward server & splunk show deploy-poll is working well. Thank you very much.

0 Karma
1 Solution

Stevelim
Communicator

Resolved as port 51112 is intermittently controlled by another app. Shifted to another port number.

View solution in original post

0 Karma

Stevelim
Communicator

Resolved as port 51112 is intermittently controlled by another app. Shifted to another port number.

0 Karma

ryanoconnor
Builder

What does your Splunk infrastructure look like? Is your Deployment Server also your indexer?

Are you receiving any data on your indexer?

Do you have port 9997 open between your Universal Forwarder and Indexer?

0 Karma

qygoh
Engager

Hi, yup~ i able to telnet port my port which mean the port is open already. I able to received data from my indexer before i install universal forwarder. But after i install Universal forwarder it can't working. Any details information i should provide to you?

0 Karma

Richfez
SplunkTrust
SplunkTrust

What do you mean by "change its connection to 127.0.0.1 51112"? Why do you need to do that? From the little I see in your screenshot your configuration looks fine*.

You can check c:\program files\splunkforwarder\var\log\splunk\splunkd.log for errors, that might help point you in the right direction.

*Except having your system forward to the same place as your Deployment Server, but that shouldn't be an actual problem.

0 Karma

qygoh
Engager

It look fine in my splunk log and i got this message:
06-16-2016 10:13:26.851 +0800 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_IPAddress
This should be correct right?

0 Karma

qygoh
Engager

127.0.0.1 51112 is the same as as point to localhost. I use Kepware 5.20 for extract all the data from my device and send to Splunk server. I will try to check the Splunk log see got any hints or not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...