Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk universal forwarder issues in windows

Sravane
Observer
‎01-11-2021 03:23 AM

Hi All - I have installed SPlunk master in Linux and universal forwarder in Windows box.

And Also opened all Ports .Currently when i do Telnet server ip 9997 ,it is showing timeout in windows box.

In Splunk logs found following warning.Cooked connectioned timeout and some certificate issues.

 

Can you please provide rootcause or solution  for this issue.

 

 

Labels (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 04:03 AM

Hi @Sravane,

let me understand:

  • you have Splunk Enterprise on a Linux server (Indexer),
  • you have a Universal Forwarder on Linux,
  • you're testing connection betweem Forwarder and Indexer using Telnet from Forwarder to Indexer and you fail;

is it correct?

If this is your situation, you have to check the following items:

  • did you enabled receiving on Indexer on 9997 port?
  • did you disabled local firewall on Indexer?
  • are you sure that there isn't any Firewall between Forwarder and Indexer,
  • Are they in different network segments?

Check the above items and then try again with telnet.

Ciao.

Giuseppe

0 Karma
Reply

Sravane
Observer
‎01-11-2021 06:42 AM

Hi Ciao -Let explain question 

  • My Splunk Enterprise on a Linux server (Indexer),
  • And my Universal Forwarder on windows
  • Added 9997 port in Splunk master

And connection between Splunk enterprise and forwarder is failing. We enabled ports aswell

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 07:00 AM

Hi @Sravane,

are you saying that:

  • you enabled receiving on Indexer on 9997 port [Settings -- Forwarding and Receiving -- receiving];
  • you disabled local firewall on Indexer (iptables);
  • you're sure that there isn't any Firewall between Forwarder and Indexer;
  • both the servers are in the same network segments.

Can you confirm?

If telnet from Forwarder to Indexer fails, probably one of the previous checks is wrong.

Ciao.

Giuseppe

0 Karma
Reply

Sravane
Observer
‎01-11-2021 07:26 AM

Hi -Please let me know how to disable firewall?

  • you disabled local firewall on Indexer (iptables);

ANy commands to run?

Moreover,i tried telnet ip 9997 in universal forwared server and i got following error


"Configured but inactive forwards"

Thanks,

Sravan

Thanks,

Sravan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 07:33 AM

Hi @Sravane,

it depends on the Linux version you're using, you can search it in Google.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...