Getting Data In

Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

pdjhh
Communicator

Hi,

I've installed a UF on about 10 Windows machines, some desktops and some servers, and see some strange behaviour. On about 6 of them all is fine but on the other handful of machines I can see the process running in the process manager but it won't respond to any splunk commands like 'splunk status'. Splunk status is accepted and just comes back blank; it returns to the prompt with out returning anything. These guys, then, are also not sending windows event data in to their heavy forwarder.

The servers are W2k8 and the destops W7. On the desktops I see another dos window pop up very briefly on my problematic ones when I enter splunk status or splunk stop or start.

Anyone seen anything like this?

Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Open your command prompt as an admin account and try again.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Open your command prompt as an admin account and try again.

martin_mueller
SplunkTrust
SplunkTrust

I'll just convert it myself 😄

0 Karma

pdjhh
Communicator

Thanks both of you. This is one of those ones where I don't have access to the boxes so I've asked the customer to try this. I'll advise once they get back to me.

0 Karma

dflodstrom
Builder

I have experienced this behavior and running the cmd prompt as admin did the trick for me! Thanks, Martin. Hopefully this gets changed to an answer for you.

0 Karma

jvarmazis_splun
Splunk Employee
Splunk Employee

Suggestion: Check to see if the Splunk Forwarder ports are in use on the machines with the strange behavior. The default ports would be 8089 and 9997.

  1. Shut down the Splunk Forwarder: splunk stop
  2. Check the port status using a command like netstat: netstat -np TCP | find "8089"
  3. Try for the UDP protocol and for port 9997
0 Karma

pdjhh
Communicator

Thanks for the response. I haven't configured an output.conf yet so it shouldn't be trying to use 9997 I don 't think (left it blank during install). I can see the server phoning home on 8089 so it looks like it's using that happily. I pushed the windows ta to it and don't get any events back and I have this curious thing where it won't report it's status. Apparently it has been 'hardened' so there may be some UAC or other permissioning issues. splunkd.log?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...