Getting Data In

Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"

kannu
Communicator

Hi splunkers ,

I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is still saying that "configured but inactive "

At universal forwarder end i am seeing in splunkd.log :

08-14-2018 07:03:34.401 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:03:34.538 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-14-2018 07:14:15.696 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:14:15.814 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-20-2018 06:12:36.906 -0400 INFO  TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-20-2018 06:12:37.038 -0400 INFO  TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.

and this also (don't know why)

[root@abc.com bin]# ./splunk list forward-server
Active forwards:
        None
Configured but inactive forwards:
        165.113.21.66:9997

and at heavy forwarder end

[root@def.com bin]# ./splunk display listen
Your session is invalid.  Please login.
Splunk username: admin
Password:
Receiving is enabled on port 9997 

in splunkd.log at heavy forwarder end :

08-14-2018 07:04:26.163 -0400 INFO  TcpInputProc - clustering is enabled but ACK not enabled on forwarder=165.113.20.239

Everything is connected. But still, why am I seeing this "Configured but inactive forwards:" I don't know why, and i also have tried telnet from universal forwarder for heavy forwarder server

[root@abc.com bin]# telnet def.com 9997
Trying def.com...
Connected to def.com.
Escape character is '^]'.

Guys please help. Although, i am receiving all my data at indexer, but still i want to know why i am seeing the "configured but not active" entry in universal forwarder

0 Karma
1 Solution

FrankVl
Ultra Champion

as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.

If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.

View solution in original post

0 Karma

FrankVl
Ultra Champion

as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.

If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.

0 Karma

deepashri_123
Motivator

hey@kannu,

Refer this accepted answer:
https://answers.splunk.com/answers/48760/how-to-activate-forward-server.html

Let me know if this helps!!

0 Karma

kannu
Communicator

@deepashri_123

My issue is different , actually i am receiving all the data what ever i request forwarder to send but what i am not sure is why the splunk forwarder agent is putting my indexer name in "confgured but not active"

Prof i already have provided above

0 Karma

securitytweaker
Explorer

Can you try to increased the processing memory by limiting the services and stopping the unwanted services which are included in monitoring phase of the UF in linux/windows here.

Then stopping and restarting the services in this case.

0 Karma

teunlaan
Contributor

Are you sending data while running the list forward-server command?

It will only show "active" if it is really active.

0 Karma

kannu
Communicator

@teunlaan ,

Yes i am sending live data and it is receiving perfectly , For live data i have enabled the scripted input monitor which is running at cron scheduled for every 5 minutes .

0 Karma

kannu
Communicator

@deepashri_123 @teunlaan please provide any update

0 Karma

deepashri_123
Motivator

did u try restarting universal forwarder?

0 Karma

teunlaan
Contributor

what is in out outputs.conf?

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...