Getting Data In

Why won't Splunk forwarder send data after update?

ichesla1111
Path Finder

Hello!

When I updated my Splunk Universal Forwarder, my data stopped sending data into Splunk.

I do not know how to find the upgraded Splunk servers tcpout address I need to update in the Splunk Forwarder configuration files (use new output server address to edit configuration files in the $SPLUNK_HOME/etc/system/local/ file location).

Is there a way to find the new tcpout server address/what address I need to change in my configuration file (after Splunk update) on the Splunks web application in settings??


What I need to find (highlighted in red)
server: 1xx.123.12.212:Port
(IPAdress.numberUpdate:Port)

***Does the 212 represent the latest Splunk software version (change it to the updated version of Splunk)?

Thank you.

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The addresses that go into the Splunk Forwarder's outputs.conf file are the IP addresses of the Splunk indexers to which data is to be sent.  Addresses do not change when the forwarder is upgraded.

Take a step back and find the root cause of the problem.  Check the splunkd.log file on the forwarder to see what messages are logged by TcpOutputProc.  They should shed light on the cause.

If the cause is a new IP address then check the indexers for their current addresses (contact your Splunk or Linux admin for assistance, if needed).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

woodcock
Esteemed Legend

No upgrade should change any settings so you have some other kind of problem, I suspect.  Sometimes when a service is upgraded, the server is rebooted.  Sometimes when a server is rebooted a service that was manually stopped long ago, is automatically restarted (think selinix or firewalld).  That is where I would look.  Also, don't store your configurations for UF in $SPLUNK_HOME/etc/system/local; use base config apps and DS/chef/ansible/etc.

richgalloway
SplunkTrust
SplunkTrust

The addresses that go into the Splunk Forwarder's outputs.conf file are the IP addresses of the Splunk indexers to which data is to be sent.  Addresses do not change when the forwarder is upgraded.

Take a step back and find the root cause of the problem.  Check the splunkd.log file on the forwarder to see what messages are logged by TcpOutputProc.  They should shed light on the cause.

If the cause is a new IP address then check the indexers for their current addresses (contact your Splunk or Linux admin for assistance, if needed).

---
If this reply helps you, Karma would be appreciated.
0 Karma

ichesla1111
Path Finder

Thank you!!! Looking at the log helped me figure out the issue.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...