Hi splunkers ,
I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is still saying that "configured but inactive "
At universal forwarder end i am seeing in splunkd.log :
08-14-2018 07:03:34.401 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 22.214.171.124:9997 08-14-2018 07:03:34.538 -0400 INFO TcpOutputProc - Connected to idx=126.96.36.199:9997, pset=0, reuse=0. 08-14-2018 07:14:15.696 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 188.8.131.52:9997 08-14-2018 07:14:15.814 -0400 INFO TcpOutputProc - Connected to idx=184.108.40.206:9997, pset=0, reuse=0. 08-20-2018 06:12:36.906 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 220.127.116.11:9997 08-20-2018 06:12:37.038 -0400 INFO TcpOutputProc - Connected to idx=18.104.22.168:9997, pset=0, reuse=0.
and this also (don't know why)
[email@example.com bin]# ./splunk list forward-server Active forwards: None Configured but inactive forwards: 22.214.171.124:9997
and at heavy forwarder end
[firstname.lastname@example.org bin]# ./splunk display listen Your session is invalid. Please login. Splunk username: admin Password: Receiving is enabled on port 9997
in splunkd.log at heavy forwarder end :
08-14-2018 07:04:26.163 -0400 INFO TcpInputProc - clustering is enabled but ACK not enabled on forwarder=126.96.36.199
Everything is connected. But still, why am I seeing this "Configured but inactive forwards:" I don't know why, and i also have tried telnet from universal forwarder for heavy forwarder server
[email@example.com bin]# telnet def.com 9997 Trying def.com... Connected to def.com. Escape character is '^]'.
Guys please help. Although, i am receiving all my data at indexer, but still i want to know why i am seeing the "configured but not active" entry in universal forwarder
My issue is different , actually i am receiving all the data what ever i request forwarder to send but what i am not sure is why the splunk forwarder agent is putting my indexer name in "confgured but not active"
Prof i already have provided above
Are you sending data while running the list forward-server command?
It will only show "active" if it is really active.
Yes i am sending live data and it is receiving perfectly , For live data i have enabled the scripted input monitor which is running at cron scheduled for every 5 minutes .
Can you try to increased the processing memory by limiting the services and stopping the unwanted services which are included in monitoring phase of the UF in linux/windows here.
Then stopping and restarting the services in this case.
as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.
If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.