Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

No available server list on /opt/splunkforwarder/bin/splunk list forward-server

qubick
Path Finder
‎03-08-2014 03:17 PM

I installed indexer (an instance of spunk) to the server, enabled, and opened 9997 port.
Also installed splunkforwarder to my local machine, added hostname:9997 under settings > Data > Forwarding and receiving > Forward Data > Configure forwarding.

But nothing seemed to be connected, showing nothing when I type /opt/splunkforwarder/bin/splunk list forward-server command to the server. Is there something I should do more?

I am seeing the message that says:

1) skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block.
2) Tcp output pipeline blocked. Attempt 8200 to insert data failed.

Does this also related to the connection error?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2014 09:18 PM

I am confused by the language you are using. But let me see if I can recap and then offer some suggestions.

  • You installed Splunk on machine A and opened port 9997 (in the firewall, I presume).
  • On machine B (your local machine), you added machineA:9997 to configure forwarding.
  • When you type /opt/splunkforwarder/bin/splunk list forward-server on machine B, you get nothing.

First, on machine A:

  • You need to set up receiving on port 9997 in Splunk

  • You can run the following search to see if connections have been made from forwarders:

    index=_internal source=*metrics.log group=tcpin_connections

Second, on machine B:

  • There is no GUI on a Universal Forwarder, so I am unclear how you did this.
  • You should make sure that port 9997 is open for machine B to send.

  • You can use the command line interface to (1) tell the forwarder where to send data and (2) check the status to see where the forwarder is actually sending (3) check to see which files are being monitored and forwarded

    /opt/splunkforwarder/bin/splunk add forward-server machineA:9997
    /opt/splunkforwarder/bin/splunk list forward-server
    /opt/splunkforwarder/bin/splunk list monitor

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-08-2014 09:18 PM

I am confused by the language you are using. But let me see if I can recap and then offer some suggestions.

  • You installed Splunk on machine A and opened port 9997 (in the firewall, I presume).
  • On machine B (your local machine), you added machineA:9997 to configure forwarding.
  • When you type /opt/splunkforwarder/bin/splunk list forward-server on machine B, you get nothing.

First, on machine A:

  • You need to set up receiving on port 9997 in Splunk

  • You can run the following search to see if connections have been made from forwarders:

    index=_internal source=*metrics.log group=tcpin_connections

Second, on machine B:

  • There is no GUI on a Universal Forwarder, so I am unclear how you did this.
  • You should make sure that port 9997 is open for machine B to send.

  • You can use the command line interface to (1) tell the forwarder where to send data and (2) check the status to see where the forwarder is actually sending (3) check to see which files are being monitored and forwarded

    /opt/splunkforwarder/bin/splunk add forward-server machineA:9997
    /opt/splunkforwarder/bin/splunk list forward-server
    /opt/splunkforwarder/bin/splunk list monitor

Reply
Solved! Jump to solution

qubick
Path Finder
‎03-11-2014 03:56 PM

I am not using a universal forwarder, I just installed a spunkforwarder to machine B (local machine), and added host by typing machineA:9997 at Settings > Data > Forwarding and receiving > "configure forwarding" and I could access to the forwarder from web UI

To make sure, I tried all commands you suggested, but nothing executes anything - showing no results, even doesn't come back to the next command line.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...