Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What issue would cause a heavy forwarder to show a status of "SplunkForwarder UNCONFIGURED ENABLED"?

msantich
Path Finder
‎11-11-2014 09:16 AM

we're in the process of investigating why our heavy forwarders are not forwarding events from the myriad universal forwarders to our indexer.

in the diagnostic process we ran ./splunk display app from one of our heavy forwarders. the results show:
SplunkForwarder UNCONFIGURED ENABLED.

can anyone explain what issue we might have that causes the status to show UNCONFIGURED, yet enabled.

we're missing something......

thanks in advance.

michaelS

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

View solution in original post

Reply
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 10:04 AM

Splunk heavy forwarders had been working....recent upgrade of OS (Linux) and re-create of forwarder results in heavy forwarders NOT relaying events from lower tier universal forwarders
we're just missing something on re-create effort

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:52 AM
  • deployment monitor shows forwarders are "connecting" to indexer
  • events generated locally on the forwarders ARE getting to the indexer.
  • Only events from universal forwarders are not getting though.

from universal forwarders, list forward-server shows the heavy forwarder and indexer OK.

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:44 AM

Thanks much....version 4.2.5

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...