Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to configure a search head as a forwarder?

vikas_gopal
Builder
‎01-10-2017 12:24 AM

Hi Experts,

I got a situation. I have 3 search heads, 2 Indexers . I want to use one of the SH as a forwarder. So the idea is the 3rd SH reads data from TCP:3315 and sensd to both Indexers using autoLB.

I am using following inputs.conf

[tcp://:3315]
index=test
sourcetype=log

and outputs.conf

[indexAndForward]
index=false

[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:my_search_peers]
server = x.x.x.x:9997,x.x.x.x:9997
autoLB = true

What I believe Problem here is SH3 is not able to read data from port 3315. Because when I manually place data locally in a file and try to index it using same outputs.conf, it works. I also checked with the team, port 3315 is opened on SH3. Is there anything which I am missing .

Thanks
VG

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎01-10-2017 01:51 AM

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

View solution in original post

Reply
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎01-10-2017 01:51 AM

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2017 12:56 AM

Hi vikas_gopal,
which operative system are you using? there are limitations to use some port ranges.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:14 AM

Hi Cusello,
We are using Linux AMI for overall Splunk Distributed environment .

Thanks
Vikas

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-10-2017 12:55 AM

Are those SH clustered ?

  • First thing you need to check is whether the port is listening using lsof or netstat
  • Then just run nc -l 3315 and try connecting to this server from source server using telnet
  • Try sending some sample data and see if you are receiving those on the terminal you opened above

This should atleast tell you whether the port is listening and your source server can send the data.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:12 AM

Hi Renjith,

Yes all 3 are in SHC also I checked this port using netstat -aln|grep 3315 , I got Listen.
I also checked nc -l 3315 , and send some sample data from SH3. I am able to receive it on the indexer . Clear problem which I can understand is SH3 is not able to read data from TCP:3315 and then further send it to Indexer.

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:16 AM

Do I need to change anything in Input.conf ?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top