Hello,

I'm having issues receiving data on my Indexer from the Universal Forwarder. Prior to installing the Universal Forwarder, I confirmed that the Indexer was able to receive data. However, after installing the Universal Forwarder and configuring according to Deployment instructions, I confirmed that the Forward-Server was "Active", Netstat was ESTABLISHED on both servers, the Inputs.conf and Outputs.conf files on the Universal Forwarder were configured to receive UDP Traffic and send traffic to the Indexer. For the purposes of troubleshooting, my OS Firewall has been turned off and I also confirmed that data is showing up in the index= _internal host=forward-server. Data is not updating in the Search Head. Does anyone have any ideas, or know of anything that has been missed.

FORWARDER

[root@SplunkForwarder bin]# ./splunk list forward-server
Active forwards:
10.202.192.33:9997
Configured but inactive forwards:
None

[root@SplunkForwarder local]# more inputs.conf
[default]
host = Splunk_Forwarder

[udp://5514]
index = pan_logs
sourcetype = pan_log
connection_host = ip
no_appending_timestamp = true
disabled = 1

[udp://514]

disabled = false

[root@SplunkForwarder local]# more outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.202.192.33:9997

[tcpout-server://10.202.192.33:9997]

INDEXER

[root@SplunkLinux bin]# ./splunk display listen
Receiving is enabled on port 9997.