Getting Data In

Why won't Splunk forwarder send data after update?

ichesla1111
Path Finder

Hello!

When I updated my Splunk Universal Forwarder, my data stopped sending data into Splunk.

I do not know how to find the upgraded Splunk servers tcpout address I need to update in the Splunk Forwarder configuration files (use new output server address to edit configuration files in the $SPLUNK_HOME/etc/system/local/ file location).

Is there a way to find the new tcpout server address/what address I need to change in my configuration file (after Splunk update) on the Splunks web application in settings??


What I need to find (highlighted in red)
server: 1xx.123.12.212:Port
(IPAdress.numberUpdate:Port)

***Does the 212 represent the latest Splunk software version (change it to the updated version of Splunk)?

Thank you.

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The addresses that go into the Splunk Forwarder's outputs.conf file are the IP addresses of the Splunk indexers to which data is to be sent.  Addresses do not change when the forwarder is upgraded.

Take a step back and find the root cause of the problem.  Check the splunkd.log file on the forwarder to see what messages are logged by TcpOutputProc.  They should shed light on the cause.

If the cause is a new IP address then check the indexers for their current addresses (contact your Splunk or Linux admin for assistance, if needed).

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

woodcock
Esteemed Legend

No upgrade should change any settings so you have some other kind of problem, I suspect.  Sometimes when a service is upgraded, the server is rebooted.  Sometimes when a server is rebooted a service that was manually stopped long ago, is automatically restarted (think selinix or firewalld).  That is where I would look.  Also, don't store your configurations for UF in $SPLUNK_HOME/etc/system/local; use base config apps and DS/chef/ansible/etc.

richgalloway
SplunkTrust
SplunkTrust

The addresses that go into the Splunk Forwarder's outputs.conf file are the IP addresses of the Splunk indexers to which data is to be sent.  Addresses do not change when the forwarder is upgraded.

Take a step back and find the root cause of the problem.  Check the splunkd.log file on the forwarder to see what messages are logged by TcpOutputProc.  They should shed light on the cause.

If the cause is a new IP address then check the indexers for their current addresses (contact your Splunk or Linux admin for assistance, if needed).

---
If this reply helps you, Karma would be appreciated.
0 Karma

ichesla1111
Path Finder

Thank you!!! Looking at the log helped me figure out the issue.

Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...