Solved: No available server list on /opt/splunkforwarder/b...

qubick · ‎03-08-2014

I installed indexer (an instance of spunk) to the server, enabled, and opened 9997 port.
Also installed splunkforwarder to my local machine, added hostname:9997 under settings > Data > Forwarding and receiving > Forward Data > Configure forwarding.

But nothing seemed to be connected, showing nothing when I type /opt/splunkforwarder/bin/splunk list forward-server command to the server. Is there something I should do more?

I am seeing the message that says:

1) skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block.
2) Tcp output pipeline blocked. Attempt 8200 to insert data failed.

Does this also related to the connection error?

lguinn2 · ‎03-08-2014

I am confused by the language you are using. But let me see if I can recap and then offer some suggestions.

You installed Splunk on machine A and opened port 9997 (in the firewall, I presume).
On machine B (your local machine), you added machineA:9997 to configure forwarding.
When you type /opt/splunkforwarder/bin/splunk list forward-server on machine B, you get nothing.

First, on machine A:

You need to set up receiving on port 9997 in Splunk
You can run the following search to see if connections have been made from forwarders:

index=_internal source=*metrics.log group=tcpin_connections

Second, on machine B:

There is no GUI on a Universal Forwarder, so I am unclear how you did this.
You should make sure that port 9997 is open for machine B to send.
You can use the command line interface to (1) tell the forwarder where to send data and (2) check the status to see where the forwarder is actually sending (3) check to see which files are being monitored and forwarded

/opt/splunkforwarder/bin/splunk add forward-server machineA:9997
/opt/splunkforwarder/bin/splunk list forward-server
/opt/splunkforwarder/bin/splunk list monitor

View solution in original post

lguinn2 · ‎03-08-2014

I am confused by the language you are using. But let me see if I can recap and then offer some suggestions.

You installed Splunk on machine A and opened port 9997 (in the firewall, I presume).
On machine B (your local machine), you added machineA:9997 to configure forwarding.
When you type /opt/splunkforwarder/bin/splunk list forward-server on machine B, you get nothing.

First, on machine A:

You need to set up receiving on port 9997 in Splunk
You can run the following search to see if connections have been made from forwarders:

index=_internal source=*metrics.log group=tcpin_connections

Second, on machine B:

There is no GUI on a Universal Forwarder, so I am unclear how you did this.
You should make sure that port 9997 is open for machine B to send.
You can use the command line interface to (1) tell the forwarder where to send data and (2) check the status to see where the forwarder is actually sending (3) check to see which files are being monitored and forwarded

/opt/splunkforwarder/bin/splunk add forward-server machineA:9997
/opt/splunkforwarder/bin/splunk list forward-server
/opt/splunkforwarder/bin/splunk list monitor

qubick · ‎03-11-2014

I am not using a universal forwarder, I just installed a spunkforwarder to machine B (local machine), and added host by typing machineA:9997 at Settings > Data > Forwarding and receiving > "configure forwarding" and I could access to the forwarder from web UI

To make sure, I tried all commands you suggested, but nothing executes anything - showing no results, even doesn't come back to the next command line.

No available server list on /opt/splunkforwarder/bin/splunk list forward-server

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?