Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to connect my forwarder to an indexer cluster with error "failed to extract FwdTarget from json node..."?

cwyse
Explorer
‎01-12-2016 06:12 PM

I'm trying to get my forwarder to connect to an indexer cluster. I've tried changing every possible instance of pass4SymmKey to the same thing, but I still keep seeing the following error:

ERROR IndexerDiscoveryHeartbeatThread - failed to parse response payload for group=default-autolb-group, err=failed to extract FwdTarget from json node={"hostport":"?","ssl":false,"indexing_disk_space":-1}http_response=OK

If I change the key to something different on the cluster master and forwarder, I get an Unauthorized error, so I don't really think it's the key, but not sure what else would be causing this. Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

Topographic0cea
Explorer
‎01-23-2016 03:37 PM

I finally figure this out. On one indexer I did not open the listen port with spunk enable listen 9997. Once I did this, the error went away and all worked fine. The error message is completely non-intuitive.

View solution in original post

Reply
Solved! Jump to solution

brent_weaver
Builder
‎02-03-2018 05:56 AM

I am having the same issue as you guys and it is driving me crazy. I have three env's and only one has this issue.

0 Karma
Reply
Solved! Jump to solution

vanallp
Explorer
‎01-26-2016 05:39 AM

I found my issues…
http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Multisiteconffile
My script installs the master, indexers, and search machines it performs a restart on each of them. Once that is complete, I deploy a configuration bundle to the indexers. That was my earlier problem – I was not performing the restart on all the splunk instances after the initial install.

Reply
Solved! Jump to solution

mstephenson716
Explorer
‎08-19-2019 06:11 PM

I forgot to restart my indexers after making them receivers. Thank you!

Reply
Solved! Jump to solution

meleperuma
Explorer
‎06-05-2019 03:01 PM

Thanks @vanallp. this is exactly what I was facing and it worked.

0 Karma
Reply
Solved! Jump to solution
Solution

Topographic0cea
Explorer
‎01-23-2016 03:37 PM

I finally figure this out. On one indexer I did not open the listen port with spunk enable listen 9997. Once I did this, the error went away and all worked fine. The error message is completely non-intuitive.

Reply
Solved! Jump to solution

MuS
Legend
‎05-17-2016 08:41 PM

Just fixed the exact same error, but my fix was to change the inputs.conf from 

 [splunktcp://:9997]

to

[splunktcp://9997]

cheers, MuS

Reply
Solved! Jump to solution

Topographic0cea
Explorer
‎01-13-2016 05:27 PM

I am seeing the same thing. it is NOT a password problem. If it was, you would get http_response=Unauthorized.

If I configure the forwarder to send to one indexer in the cluster, that works just fine. It is only if you try to use the cluster master to do indexer discovery. What the missing or bad config it, I cannot figure out.

0 Karma
Reply
Solved! Jump to solution

vanallp
Explorer
‎01-21-2016 09:58 AM

I'm having the same issue. I setup a test environment with 3 indexers in a cluster that worked fine. Now I am attempting to setup a pair of indexer clusters and the indexer discovery is failing.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-12-2016 06:25 PM

Hello, did you check the server.conf in both the local and default directories?

The pass4symkey gets encrypted in the server.conf when it is deployed. I believe it deploys to appName/default and encrypts to appName/local. Then when you later update this server.conf app and deploy the app, the deployment server overwrites what is in /default but not /local... so the old encrypted pass4symkey takes precedence.

So run this command and make sure the correct pass4symkey is being "read" and taking "precedence"

./splunk cmd btool server list --debug

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Wheretofindtheconfigurationfiles

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...