Getting Data In

Why am I unable to configure a search head as a forwarder?

vikas_gopal
Builder

Hi Experts,

I got a situation. I have 3 search heads, 2 Indexers . I want to use one of the SH as a forwarder. So the idea is the 3rd SH reads data from TCP:3315 and sensd to both Indexers using autoLB.

I am using following inputs.conf

[tcp://:3315]
index=test
sourcetype=log

and outputs.conf

[indexAndForward]
index=false

[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false

[tcpout:my_search_peers]
server = x.x.x.x:9997,x.x.x.x:9997
autoLB = true

What I believe Problem here is SH3 is not able to read data from port 3315. Because when I manually place data locally in a file and try to index it using same outputs.conf, it works. I also checked with the team, port 3315 is opened on SH3. Is there anything which I am missing .

Thanks
VG

0 Karma
1 Solution

vikas_gopal
Builder

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

View solution in original post

vikas_gopal
Builder

Well we got the solution , since this port was already in use so I changed the port and things works properly .Now I am able to send data from SH3 to both the indexers. Thanks Guys for your help and support .

gcusello
SplunkTrust
SplunkTrust

Hi vikas_gopal,
which operative system are you using? there are limitations to use some port ranges.
Bye.
Giuseppe

0 Karma

vikas_gopal
Builder

Hi Cusello,
We are using Linux AMI for overall Splunk Distributed environment .

Thanks
Vikas

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Are those SH clustered ?

  • First thing you need to check is whether the port is listening using lsof or netstat
  • Then just run nc -l 3315 and try connecting to this server from source server using telnet
  • Try sending some sample data and see if you are receiving those on the terminal you opened above

This should atleast tell you whether the port is listening and your source server can send the data.

Happy Splunking!
0 Karma

vikas_gopal
Builder

Hi Renjith,

Yes all 3 are in SHC also I checked this port using netstat -aln|grep 3315 , I got Listen.
I also checked nc -l 3315 , and send some sample data from SH3. I am able to receive it on the indexer . Clear problem which I can understand is SH3 is not able to read data from TCP:3315 and then further send it to Indexer.

0 Karma

vikas_gopal
Builder

Do I need to change anything in Input.conf ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...