Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to configure a search head as a forwarder?

vikas_gopal
Builder
‎01-10-2017 12:24 AM

Hi Experts,

I got a situation. I have 3 search heads, 2 Indexers . I want to use one of the SH as a forwarder. So the idea is the 3rd SH reads data from TCP:3315 and sensd to both Indexers using autoLB.

I am using following inputs.conf

[tcp://:3315]
index=test
sourcetype=log

and outputs.conf

[indexAndForward]
index=false

[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:my_search_peers]
server = x.x.x.x:9997,x.x.x.x:9997
autoLB = true

What I believe Problem here is SH3 is not able to read data from port 3315. Because when I manually place data locally in a file and try to index it using same outputs.conf, it works. I also checked with the team, port 3315 is opened on SH3. Is there anything which I am missing .

Thanks
VG

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎01-10-2017 01:51 AM

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

View solution in original post

Reply
Solved! Jump to solution
Solution

vikas_gopal
Builder
‎01-10-2017 01:51 AM

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2017 12:56 AM

Hi vikas_gopal,
which operative system are you using? there are limitations to use some port ranges.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:14 AM

Hi Cusello,
We are using Linux AMI for overall Splunk Distributed environment .

Thanks
Vikas

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-10-2017 12:55 AM

Are those SH clustered ?

  • First thing you need to check is whether the port is listening using lsof or netstat
  • Then just run nc -l 3315 and try connecting to this server from source server using telnet
  • Try sending some sample data and see if you are receiving those on the terminal you opened above

This should atleast tell you whether the port is listening and your source server can send the data.

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:12 AM

Hi Renjith,

Yes all 3 are in SHC also I checked this port using netstat -aln|grep 3315 , I got Listen.
I also checked nc -l 3315 , and send some sample data from SH3. I am able to receive it on the indexer . Clear problem which I can understand is SH3 is not able to read data from TCP:3315 and then further send it to Indexer.

0 Karma
Reply
Solved! Jump to solution

vikas_gopal
Builder
‎01-10-2017 01:16 AM

Do I need to change anything in Input.conf ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...