Getting Data In

Why am I unable to establish a connection between the indexer and forwarder?

raghu0463
Explorer

I installed the forwarder on Linux VM and I'm trying to establish a connection between indexer and forwarder, but was unable to do that. When i was trying to start forwarder, the command is not working and don't know why ? - (./splunk start)

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You need to be in the bin directory to start the Splunk forwarder

Go to /opt/splunkforwarder/bin and execute ./splunk start or do it all in a one liner like /opt/splunkforwarder/bin/splunk start

View solution in original post

0 Karma

raghu36668
New Member

at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You need to be in the bin directory to start the Splunk forwarder

Go to /opt/splunkforwarder/bin and execute ./splunk start or do it all in a one liner like /opt/splunkforwarder/bin/splunk start

0 Karma

raghu0463
Explorer

I have done that, i was just checking the status of the splunk and want to try

ping myipaddress --- just want to check the connection between forwarder and indexer

and want to try command---- splunk add forward -server myipaddress:9997

but im stopping at this point itself ..

[user@localhost bin]$ ./splunk start
splunkd 7002 was not running.
Stopping splunk helpers...
[ OK ]
Done.
Stopped helpers.
Removing stale pid file... done.
Splunk> Another one.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-6.5.2-67571ef4b87d-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

Done
[ OK ]
[user@localhost bin]$ splunk status
bash: splunk: command not found...

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should also do a telnet from your forwarder to the indexer to verify your not getting blocked by a firewall

Install telnet

sudo yum install telnet

Once installed run this

telnet INDEXER_IP 9997

It should successfully connect

0 Karma

raghu0463
Explorer

Im getting this error while trying to run that command :

[user@localhost bin]$ sudo yum install telnet
[sudo] password for user :
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
There are no enabled repos.
Run "yum repolist all" to see the repos you have.
You can enable repos with yum-config-manager --enable

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is more of a RHEL issue than Splunk, but it looks like you have a bad date or time on your system. You may also not have the subscription registered

What do you get when you run ./splunk status while in the /opt/splunkforwarder/bin directory?

0 Karma

raghu0463
Explorer

[user@localhost bin]$ ./splunk status
splunkd is running (PID: 4365).
splunk helpers are running (PIDs: 4376).

0 Karma

raghu0463
Explorer

at last I have established the connection between indexer (host-windows) and forwarder(Linux) but now I'm stuck again at adding a specific indexer where I need to send my data. Actually I'm getting document for windows but I'm feeling bit difficult in finding the documents for Linux. I was trying to edit the outputs.conf file but its bit different from windows one I think ....!!

0 Karma

raghu0463
Explorer

i was trying to add a folder to forwarder to read data but its giving me an error ..as your session is invalid. please login.

[root@localhost bin]# ./splunk add monitor /home/user/Desktop/Forward_Data -index my_db
Your session is invalid. Please login.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

That's standard, the default creds for the forwarder are

user = admin
password = changeme

Once you enter this info, the forwarder will be added

0 Karma

raghu0463
Explorer

I have tried that login credentials but its not working either,
and the forwarder is added already i jus want to send the data form forwarder to indexer
so im trying to add folder to forwarder to monitor the data

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Reach out to me privately or start a new question for more info

0 Karma

raghu0463
Explorer

[user@localhost bin]$ yum repolist all
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
: manager
repolist: 0

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You're in the bin directory already so the command should look like this..

./splunk status

If you weren't in the bin direcotry then it would look like this

/opt/splunkforwarder/bin/splunk status

0 Karma

raghu0463
Explorer

this helped me ..

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Feel free to upvote if it helped 🙂

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...