Getting Data In
Highlighted

Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

Communicator

Hi,

I've installed a UF on about 10 Windows machines, some desktops and some servers, and see some strange behaviour. On about 6 of them all is fine but on the other handful of machines I can see the process running in the process manager but it won't respond to any splunk commands like 'splunk status'. Splunk status is accepted and just comes back blank; it returns to the prompt with out returning anything. These guys, then, are also not sending windows event data in to their heavy forwarder.

The servers are W2k8 and the destops W7. On the desktops I see another dos window pop up very briefly on my problematic ones when I enter splunk status or splunk stop or start.

Anyone seen anything like this?

Thanks.

0 Karma
Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

Splunk Employee
Splunk Employee

Suggestion: Check to see if the Splunk Forwarder ports are in use on the machines with the strange behavior. The default ports would be 8089 and 9997.

  1. Shut down the Splunk Forwarder: splunk stop
  2. Check the port status using a command like netstat: netstat -np TCP | find "8089"
  3. Try for the UDP protocol and for port 9997
0 Karma
Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

Communicator

Thanks for the response. I haven't configured an output.conf yet so it shouldn't be trying to use 9997 I don 't think (left it blank during install). I can see the server phoning home on 8089 so it looks like it's using that happily. I pushed the windows ta to it and don't get any events back and I have this curious thing where it won't report it's status. Apparently it has been 'hardened' so there may be some UAC or other permissioning issues. splunkd.log?

0 Karma
Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

SplunkTrust
SplunkTrust

Open your command prompt as an admin account and try again.

View solution in original post

Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

Builder

I have experienced this behavior and running the cmd prompt as admin did the trick for me! Thanks, Martin. Hopefully this gets changed to an answer for you.

0 Karma
Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

SplunkTrust
SplunkTrust

I'll just convert it myself 😄

0 Karma
Highlighted

Re: Why are some Windows Universal Forwarders not responding to any Splunk commands like 'splunk status'?

Communicator

Thanks both of you. This is one of those ones where I don't have access to the boxes so I've asked the customer to try this. I'll advise once they get back to me.

0 Karma