Getting Data In

How do I troubleshoot Splunk Universal Forwarder communication issues?

Engager

I'm facing 1 issue when try to install a Splunk universal forwarder in one of my job sites. Every time when I change its connection to 127.0.0.1 51112, it will fail after 3 minutes of waiting and reset the connection again. Therefore, data at my client site can't send to my server. Anyone of you encounter this issue before? Do you mind sharing your solution so I can resolve it?I able to telnet it and also splunk list forward server & splunk show deploy-poll is working well. Thank you very much.

0 Karma
1 Solution

Communicator

Resolved as port 51112 is intermittently controlled by another app. Shifted to another port number.

View solution in original post

0 Karma

Communicator

Resolved as port 51112 is intermittently controlled by another app. Shifted to another port number.

View solution in original post

0 Karma

Builder

What does your Splunk infrastructure look like? Is your Deployment Server also your indexer?

Are you receiving any data on your indexer?

Do you have port 9997 open between your Universal Forwarder and Indexer?

0 Karma

Engager

Hi, yup~ i able to telnet port my port which mean the port is open already. I able to received data from my indexer before i install universal forwarder. But after i install Universal forwarder it can't working. Any details information i should provide to you?

0 Karma

SplunkTrust
SplunkTrust

What do you mean by "change its connection to 127.0.0.1 51112"? Why do you need to do that? From the little I see in your screenshot your configuration looks fine*.

You can check c:\program files\splunkforwarder\var\log\splunk\splunkd.log for errors, that might help point you in the right direction.

*Except having your system forward to the same place as your Deployment Server, but that shouldn't be an actual problem.

0 Karma

Engager

It look fine in my splunk log and i got this message:
06-16-2016 10:13:26.851 +0800 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_IPAddress
This should be correct right?

0 Karma

Engager

127.0.0.1 51112 is the same as as point to localhost. I use Kepware 5.20 for extract all the data from my device and send to Splunk server. I will try to check the Splunk log see got any hints or not.

0 Karma