Hello there,
I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9997 I can see that tcp packages are being sent to the indexer, but the status is 'TIME_WAIT'. While my indexer is a windows 10 desktop, I have added permission to accept tcp and ICMP packages, but still, I can't find the data I want on the splunk instance installed on the indexer (or any other data concerning the forwarder).
My question is then, what can I do in order to receive the packages on the indexer please?
PS: I have another indexer which is a Linux desktop, and it works just fine, I can find the forwarder data.
PS': Here is the link for the tutorial I've been following in order to configure the splunk instences I'm using Using the Universal Forwarder to gather data | Splunk Operational Intelligence Cookbook (packtpub.co...
Any help would be appreciated !
The TIME_WAIT status means that your side of the connection has sent the final FIN-ACK packet and is waiting for confirmation (full close of the connection).
Which means that probably the network-level connection is working (you can verify it by connecting with telnet or any similar tool directly to port 9997 on the indexer from your windows machine just to see whether it establishes connection or refuses it).
Check the logs on your forwarder - c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log
It should tell you whether it did connect or if it had problems with connection.
Check the logs on your indexer - /opt/splunk/var/log/splunk/splunkd.log for anything regarding input on port 9997 or events regarding your windows machine IP address.
Thank you so much for your explanation, it really helped and I appreciate it.
Hi @aatik5u,
did you enabled your Indexer to receive logs from Universal Forwarders? [Settings -- Forwardring and Receiving -- Receiving]
Is this Indexer receiving onthe logs from other UFs and/or from the same UF?
Hey! thank you for your reply
yes (as shown in the tutorial I linked), I did via splunk instance installed on the indexer.
No, the indexer is not receiving anything, it's normal since I have only one forwarder.
Thank you