Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What issue would cause a heavy forwarder to show a status of "SplunkForwarder UNCONFIGURED ENABLED"?

msantich
Path Finder
‎11-11-2014 09:16 AM

we're in the process of investigating why our heavy forwarders are not forwarding events from the myriad universal forwarders to our indexer.

in the diagnostic process we ran ./splunk display app from one of our heavy forwarders. the results show:
SplunkForwarder UNCONFIGURED ENABLED.

can anyone explain what issue we might have that causes the status to show UNCONFIGURED, yet enabled.

we're missing something......

thanks in advance.

michaelS

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

View solution in original post

Reply
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 10:04 AM

Splunk heavy forwarders had been working....recent upgrade of OS (Linux) and re-create of forwarder results in heavy forwarders NOT relaying events from lower tier universal forwarders
we're just missing something on re-create effort

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:52 AM
  • deployment monitor shows forwarders are "connecting" to indexer
  • events generated locally on the forwarders ARE getting to the indexer.
  • Only events from universal forwarders are not getting though.

from universal forwarders, list forward-server shows the heavy forwarder and indexer OK.

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:44 AM

Thanks much....version 4.2.5

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...