Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarder can't send data to enterprise

Cyner__
Loves-to-Learn Everything
‎06-07-2024 01:16 AM

I am newbie to splunk. Any help is appreciated

So I have an splunk enterprise in my windows computer. and splunk forwarder in a ubuntu VPS server with a cowrie honeypot built in. So my problem is when i try to ping test my local computer with VPS server , i have %100 packet loss.

Also splunkd log file is full of "cooked connection to "my-local-ip" timed out and

... blocked nfor blocked_seconds=3000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

errors

Thanks for helping. I am waiting for your response

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 01:35 AM

Hi @Cyner__ ,

at first did you followed the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents ?

In other words:

  • did you checked the open route between UF and Splunk on port 9997 (default)? you can do this using telnet.
  • did you enabled receiving in Splunk Enterprise ? [Settings > Forwardring and Receiving > Receiving]
  • did you enabled forwarding in Universal Forwarder?

When you did the above steps, you can check the connection using the following search

index=_internal host=your_client_host)

Ciao.

Giuseppe

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 02:13 AM

Thanks for the help @gcusello 

But my problem is still occurs.

When i use telnet with 9997 port to my computer (tried both private and public ip) telnet runs "connection timed out" error.

i already enabled receiving.

I don't know if i enabled forwarder or not bu i Start'ed it with command and configured output and input file

 

This is inputs.conf:

[monitor:///home/cowrie/cowrie/var/log/cowrie/cowrie.json]
index = cowrie
sourcetype = json
disabled = false

 

this is output.conf:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = my-private-ip:9997

 

sorry if i missed something as i said im both new to linux and splunk

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 02:21 AM

Hi @Cyner__ ,

you should run the telnet from the client, not from the Server:

telnet my-private-ip 9997

If it doesn't answer there's something in the middle (e.g. personal firewalls) that block the connection.

Ciao.

Giuseppe

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 02:59 AM

Hi @gcusello 

i think i found my problem. I don't have open 9997 port on my forwarder server i guess.

Cyner___0-1717754080314.png

this is the screenshot. How can i open the 9997 port

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 04:57 AM

Hi @Cyner__ ,

port 9997 must be opened on the Spunk Enterprise, not on the client, you can open the port in [Settings > Forwarding and Receiving > Receiving].

Infact the telnet test must be done on the client not from the Splunk Server.

Did you completed al the steps described in the document or in my previous answer?

Ciao.

Giuseppe

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 05:12 AM

Hi. @gcusello 

 

yes i did all. what do you mean by client do you mean the server with forwarder or splunk enterprise ?

 

and when i try to telnet the splunk server via forwarder server "i think its client" connection always times out.

i saw my splunk server (my computer i guess) doesn't have any inputs.conf at directory C:\Program Files\Splunk\etc\system\local path. 

what should i do? 

 

best regards

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2024 05:56 AM

Hi @Cyner__,

you have to enable receiving on Splunk Enterprise,

then you have to check the route from the Universal Forwarder on port 9997 to the Spunk Enterprise (using telnet),

then you have to configure your outputs.con (as described in the above link) in the Universal Forwarder.

Ciao.

Giuseppe

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 02:49 AM

Ok. Now i run the telnet <my-forwarders-ip> 9997 command from my windows pc

The result is "could not open connection to the host. port 9997 .connect failed" 

 

i run for both private ip and public ip.

My windows firewall is disabled and my forwarders server doesn't even have firewall installed

 

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 02:16 AM

ah also when i clicked "data summary" button from splunk enterprise web,  i only see "waiting for results" 

0 Karma
Reply

Cyner__
Loves-to-Learn Everything
‎06-07-2024 01:30 AM

Also i can't find anything in the Splunk Enterprise. Nothing in forwarder management section and no data whatsoever

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...