Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk universal forwarder issues in windows

Sravane
Observer
‎01-11-2021 03:23 AM

Hi All - I have installed SPlunk master in Linux and universal forwarder in Windows box.

And Also opened all Ports .Currently when i do Telnet server ip 9997 ,it is showing timeout in windows box.

In Splunk logs found following warning.Cooked connectioned timeout and some certificate issues.

 

Can you please provide rootcause or solution  for this issue.

 

 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 04:03 AM

Hi @Sravane,

let me understand:

  • you have Splunk Enterprise on a Linux server (Indexer),
  • you have a Universal Forwarder on Linux,
  • you're testing connection betweem Forwarder and Indexer using Telnet from Forwarder to Indexer and you fail;

is it correct?

If this is your situation, you have to check the following items:

  • did you enabled receiving on Indexer on 9997 port?
  • did you disabled local firewall on Indexer?
  • are you sure that there isn't any Firewall between Forwarder and Indexer,
  • Are they in different network segments?

Check the above items and then try again with telnet.

Ciao.

Giuseppe

0 Karma
Reply

Sravane
Observer
‎01-11-2021 06:42 AM

Hi Ciao -Let explain question 

  • My Splunk Enterprise on a Linux server (Indexer),
  • And my Universal Forwarder on windows
  • Added 9997 port in Splunk master

And connection between Splunk enterprise and forwarder is failing. We enabled ports aswell

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 07:00 AM

Hi @Sravane,

are you saying that:

  • you enabled receiving on Indexer on 9997 port [Settings -- Forwarding and Receiving -- receiving];
  • you disabled local firewall on Indexer (iptables);
  • you're sure that there isn't any Firewall between Forwarder and Indexer;
  • both the servers are in the same network segments.

Can you confirm?

If telnet from Forwarder to Indexer fails, probably one of the previous checks is wrong.

Ciao.

Giuseppe

0 Karma
Reply

Sravane
Observer
‎01-11-2021 07:26 AM

Hi -Please let me know how to disable firewall?

  • you disabled local firewall on Indexer (iptables);

ANy commands to run?

Moreover,i tried telnet ip 9997 in universal forwared server and i got following error


"Configured but inactive forwards"

Thanks,

Sravan

Thanks,

Sravan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 07:33 AM

Hi @Sravane,

it depends on the Linux version you're using, you can search it in Google.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...