Getting Data In
Highlighted

Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Path Finder

Hi splunkers ,

I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is still saying that "configured but inactive "

At universal forwarder end i am seeing in splunkd.log :

08-14-2018 07:03:34.401 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:03:34.538 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-14-2018 07:14:15.696 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:14:15.814 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-20-2018 06:12:36.906 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-20-2018 06:12:37.038 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.

and this also (don't know why)

[root@abc.com bin]# ./splunk list forward-server
Active forwards:
        None
Configured but inactive forwards:
        165.113.21.66:9997

and at heavy forwarder end

[root@def.com bin]# ./splunk display listen
Your session is invalid.  Please login.
Splunk username: admin
Password:
Receiving is enabled on port 9997 

in splunkd.log at heavy forwarder end :

08-14-2018 07:04:26.163 -0400 INFO  TcpInputProc - clustering is enabled but ACK not enabled on forwarder=165.113.20.239

Everything is connected. But still, why am I seeing this "Configured but inactive forwards:" I don't know why, and i also have tried telnet from universal forwarder for heavy forwarder server

[root@abc.com bin]# telnet def.com 9997
Trying def.com...
Connected to def.com.
Escape character is '^]'.

Guys please help. Although, i am receiving all my data at indexer, but still i want to know why i am seeing the "configured but not active" entry in universal forwarder

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Motivator

hey@kannu,

Refer this accepted answer:
https://answers.splunk.com/answers/48760/how-to-activate-forward-server.html

Let me know if this helps!!

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Path Finder

@deepashri_123

My issue is different , actually i am receiving all the data what ever i request forwarder to send but what i am not sure is why the splunk forwarder agent is putting my indexer name in "confgured but not active"

Prof i already have provided above

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Contributor

Are you sending data while running the list forward-server command?

It will only show "active" if it is really active.

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Path Finder

@teunlaan ,

Yes i am sending live data and it is receiving perfectly , For live data i have enabled the scripted input monitor which is running at cron scheduled for every 5 minutes .

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Path Finder

@deepashri_123 @teunlaan please provide any update

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Contributor

what is in out outputs.conf?

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Motivator

did u try restarting universal forwarder?

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Can you try to increased the processing memory by limiting the services and stopping the unwanted services which are included in monitoring phase of the UF in linux/windows here.

Then stopping and restarting the services in this case.

0 Karma
Highlighted

Re: Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

Ultra Champion

as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.

If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.

View solution in original post

0 Karma