Getting Data In

Why am I unable to establish a connection between the indexer and forwarder?

raghu0463
Explorer

I installed the forwarder on Linux VM and I'm trying to establish a connection between indexer and forwarder, but was unable to do that. When i was trying to start forwarder, the command is not working and don't know why ? - (./splunk start)

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You need to be in the bin directory to start the Splunk forwarder

Go to /opt/splunkforwarder/bin and execute ./splunk start or do it all in a one liner like /opt/splunkforwarder/bin/splunk start

View solution in original post

0 Karma

raghu36668
New Member

at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to be in the bin directory to start the Splunk forwarder

Go to /opt/splunkforwarder/bin and execute ./splunk start or do it all in a one liner like /opt/splunkforwarder/bin/splunk start

0 Karma

raghu0463
Explorer

I have done that, i was just checking the status of the splunk and want to try

ping myipaddress --- just want to check the connection between forwarder and indexer

and want to try command---- splunk add forward -server myipaddress:9997

but im stopping at this point itself ..

[user@localhost bin]$ ./splunk start
splunkd 7002 was not running.
Stopping splunk helpers...
[ OK ]
Done.
Stopped helpers.
Removing stale pid file... done.
Splunk> Another one.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Done
[ OK ]
[user@localhost bin]$ splunk status
bash: splunk: command not found...

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should also do a telnet from your forwarder to the indexer to verify your not getting blocked by a firewall

Install telnet

sudo yum install telnet

Once installed run this

telnet INDEXER_IP 9997

It should successfully connect

0 Karma

raghu0463
Explorer

Im getting this error while trying to run that command :

[user@localhost bin]$ sudo yum install telnet
[sudo] password for user :
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There are no enabled repos.
Run "yum repolist all" to see the repos you have.
You can enable repos with yum-config-manager --enable

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is more of a RHEL issue than Splunk, but it looks like you have a bad date or time on your system. You may also not have the subscription registered

What do you get when you run ./splunk status while in the /opt/splunkforwarder/bin directory?

0 Karma

raghu0463
Explorer

[user@localhost bin]$ ./splunk status
splunkd is running (PID: 4365).
splunk helpers are running (PIDs: 4376).

0 Karma

raghu0463
Explorer

at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux. I was trying to edit the outputs.conf file but its bit different from windows one I think ....!!

0 Karma

raghu0463
Explorer

i was trying to add a folder to forwarder to read data but its giving me an error ..as your session is invalid. please login.

[root@localhost bin]# ./splunk add monitor /home/user/Desktop/Forward_Data -index my_db
Your session is invalid. Please login.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

That's standard, the default creds for the forwarder are

user = admin
password = changeme

Once you enter this info, the forwarder will be added

0 Karma

raghu0463
Explorer

I have tried that login credentials but its not working either,
and the forwarder is added already i jus want to send the data form forwarder to indexer
so im trying to add folder to forwarder to monitor the data

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Reach out to me privately or start a new question for more info

0 Karma

raghu0463
Explorer

[user@localhost bin]$ yum repolist all
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
repolist: 0

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're in the bin directory already so the command should look like this..

./splunk status

If you weren't in the bin direcotry then it would look like this

/opt/splunkforwarder/bin/splunk status

0 Karma

raghu0463
Explorer

this helped me ..

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Feel free to upvote if it helped 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...