Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows TCP- What can I do in order to receive the packages on the indexer please?

aatik5u
Path Finder
‎03-30-2022 01:46 AM

Hello there,

I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9997 I can see that tcp packages are being sent to the indexer, but the status is 'TIME_WAIT'. While my indexer is a windows 10 desktop, I have added permission to accept tcp and ICMP packages, but still, I can't find the data I want on the splunk instance installed on the indexer (or any other data concerning the forwarder). 

My question is then, what can I do in order to receive the packages on the indexer please?

PS: I have another indexer which is a Linux desktop, and it works just fine, I can find the forwarder data.

PS': Here is the link for the tutorial I've been following in order to configure the splunk instences I'm using Using the Universal Forwarder to gather data | Splunk Operational Intelligence Cookbook (packtpub.co...

Any help would be appreciated !

Regards,

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2022 03:05 AM

The TIME_WAIT status means that your side of the connection has sent the final FIN-ACK packet and is waiting for confirmation (full close of the connection).

Which means that probably the network-level connection is working (you can verify it by connecting with telnet or any similar tool directly to port 9997 on the indexer from your windows machine just to see whether it establishes connection or refuses it).

Check the logs on your forwarder - c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log

It should tell you whether it did connect or if it had problems with connection.

Check the logs on your indexer - /opt/splunk/var/log/splunk/splunkd.log for anything regarding input on port 9997 or events regarding your windows machine IP address.

 

0 Karma
Reply

aatik5u
Path Finder
‎04-04-2022 04:23 AM

Thank you so much for your explanation, it really helped and I appreciate it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2022 02:33 AM

Hi @aatik5u,

did you enabled your Indexer to receive logs from Universal Forwarders? [Settings -- Forwardring and Receiving -- Receiving]

Is this Indexer receiving onthe logs from other UFs and/or from the same UF?

Ciao.

Giuseppe

 

0 Karma
Reply

aatik5u
Path Finder
‎03-30-2022 02:38 AM

Hey! thank you for your reply

yes (as shown in the tutorial I linked), I did via splunk instance installed on the indexer.

No, the indexer is not receiving anything, it's normal since I have only one forwarder.

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...