Hi splunkers ,
I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is still saying that "configured but inactive "
At universal forwarder end i am seeing in splunkd.log :
08-14-2018 07:03:34.401 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:03:34.538 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-14-2018 07:14:15.696 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:14:15.814 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-20-2018 06:12:36.906 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-20-2018 06:12:37.038 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
and this also (don't know why)
[root@abc.com bin]# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
165.113.21.66:9997
and at heavy forwarder end
[root@def.com bin]# ./splunk display listen
Your session is invalid. Please login.
Splunk username: admin
Password:
Receiving is enabled on port 9997
in splunkd.log at heavy forwarder end :
08-14-2018 07:04:26.163 -0400 INFO TcpInputProc - clustering is enabled but ACK not enabled on forwarder=165.113.20.239
Everything is connected. But still, why am I seeing this "Configured but inactive forwards:" I don't know why, and i also have tried telnet from universal forwarder for heavy forwarder server
[root@abc.com bin]# telnet def.com 9997
Trying def.com...
Connected to def.com.
Escape character is '^]'.
Guys please help. Although, i am receiving all my data at indexer, but still i want to know why i am seeing the "configured but not active" entry in universal forwarder
as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.
If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.
as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.
If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.
hey@kannu,
Refer this accepted answer:
https://answers.splunk.com/answers/48760/how-to-activate-forward-server.html
Let me know if this helps!!
@deepashri_123
My issue is different , actually i am receiving all the data what ever i request forwarder to send but what i am not sure is why the splunk forwarder agent is putting my indexer name in "confgured but not active"
Prof i already have provided above
Can you try to increased the processing memory by limiting the services and stopping the unwanted services which are included in monitoring phase of the UF in linux/windows here.
Then stopping and restarting the services in this case.
Are you sending data while running the list forward-server command?
It will only show "active" if it is really active.
@teunlaan ,
Yes i am sending live data and it is receiving perfectly , For live data i have enabled the scripted input monitor which is running at cron scheduled for every 5 minutes .
@deepashri_123 @teunlaan please provide any update
did u try restarting universal forwarder?
what is in out outputs.conf?