Getting Data In

Windows TCP- What can I do in order to receive the packages on the indexer please?

aatik5u
Path Finder

Hello there,

I am new to Splunk. I had configured my universal forwarder in order to send data to the indexer. The universal forwarder is a Linux server and running the command netstat -an | grep 9997 I can see that tcp packages are being sent to the indexer, but the status is 'TIME_WAIT'. While my indexer is a windows 10 desktop, I have added permission to accept tcp and ICMP packages, but still, I can't find the data I want on the splunk instance installed on the indexer (or any other data concerning the forwarder). 

My question is then, what can I do in order to receive the packages on the indexer please?

PS: I have another indexer which is a Linux desktop, and it works just fine, I can find the forwarder data.

PS': Here is the link for the tutorial I've been following in order to configure the splunk instences I'm using Using the Universal Forwarder to gather data | Splunk Operational Intelligence Cookbook (packtpub.co...

Any help would be appreciated !

Regards,

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The TIME_WAIT status means that your side of the connection has sent the final FIN-ACK packet and is waiting for confirmation (full close of the connection).

Which means that probably the network-level connection is working (you can verify it by connecting with telnet or any similar tool directly to port 9997 on the indexer from your windows machine just to see whether it establishes connection or refuses it).

Check the logs on your forwarder - c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log

It should tell you whether it did connect or if it had problems with connection.

Check the logs on your indexer - /opt/splunk/var/log/splunk/splunkd.log for anything regarding input on port 9997 or events regarding your windows machine IP address.

 

0 Karma

aatik5u
Path Finder

Thank you so much for your explanation, it really helped and I appreciate it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @aatik5u,

did you enabled your Indexer to receive logs from Universal Forwarders? [Settings -- Forwardring and Receiving -- Receiving]

Is this Indexer receiving onthe logs from other UFs and/or from the same UF?

Ciao.

Giuseppe

 

0 Karma

aatik5u
Path Finder

Hey! thank you for your reply

yes (as shown in the tutorial I linked), I did via splunk instance installed on the indexer.

No, the indexer is not receiving anything, it's normal since I have only one forwarder.

Thank you

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...