Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Universal forwarder is not working as an intermediate forwarder.

asingla
Communicator
‎10-18-2011 08:24 AM

I have the below deployment topology

Program -> Universal Forwarder (UF1) -> Universal Forwarder (UF2) (Intermediate) -> Main Indexer

'->' the flow of TCP message originated from the Program.

I don't see the messages reaching to the main indexer.

Main Indexer is installed on host3 and listening on 44444.

I used command lines to configure the universal forwarders as below

UF2 in installed on host2 and configure to listen on 33333 for tcp messages and forwarding to main indexer.

1) splunk add tcp 33333

2) splunk add forwarder-server host3:44444

UF1 is installed on host1 and configure to listen on 22222 for tcp messages and forwarding to universal forwarder installed on host2.

1) splunk add tcp 22222

2) splunk add forwarder-server host2:33333

My program is sending tcp message to UF1 and I don't see that message reaching all the way to main indexer. FYI, If I configure UF1/UF2 to directly send messages to main indexer , that works for me.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Steve_G_
Splunk Employee
Splunk Employee
‎10-18-2011 11:04 AM

You need to make UF2 a receiver for data getting forwarded from UF1. To enable it, use this command:

./splunk enable listen -auth :

In your case, would be 33333.

See this topic for more details:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Steve_G_
Splunk Employee
Splunk Employee
‎10-18-2011 11:04 AM

You need to make UF2 a receiver for data getting forwarded from UF1. To enable it, use this command:

./splunk enable listen -auth :

In your case, would be 33333.

See this topic for more details:

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Enableareceiver

0 Karma
Reply
Solved! Jump to solution

asingla
Communicator
‎02-02-2012 06:19 AM

It works. So it's just the CLI bug. Thanks.

0 Karma
Reply
Solved! Jump to solution

Steve_G_
Splunk Employee
Splunk Employee
‎10-18-2011 11:59 AM

Try adding this stanza to the inputs.conf file on UF2:

[splunktcp://33333]

0 Karma
Reply
Solved! Jump to solution

asingla
Communicator
‎10-18-2011 11:21 AM

That's what I tired at the first place.
./splunk enable listen 33333

Bit I got a command error:

Command error: The subcommand 'listen' is not valid for command 'enable'.

Looks like this command is not supported in Universal Forwarder.

So I thought that I would just add a tcp listener instead.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...