Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwarder - inactive problem

levisik
New Member
‎01-04-2012 01:46 AM

Hi all,

I have just started to implement splunk in my network. I have few servers, but I would like to start with Unix machines.

I have donwloaded and installed main server and it looks fine.

The problem starts when it goes to forwarder...

I have updated following file:

/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/outputs.conf

[tcpout]
maxQueueSize = 500KB
indexAndForward=true

[tcpout:fastlane]
server = 10.251.1.1:6996
sendCookedData = false

When I put command: /opt/splunkforwarder/bin/splunk list forward-server

Active forwards:
        None
Configured but inactive forwards:
        10.251.1.1:6996

How do I enable this forward mode ??

I have also tried:

[splunk@CentOS01 splunkforwarder]$ /opt/splunkforwarder/bin/splunk enable app SplunkLightForwarder
In handler 'localapps': Application does not exist: SplunkLightForwarder

Any help from you would be nice 🙂

Tags (2)
0 Karma
Reply

micahkemp
Champion
‎02-02-2018 06:43 PM

Did you enable receiving on the indexer? Splunk doesn't listen for forwarded inputs by default.

https://docs.splunk.com/Documentation/Forwarder/7.0.1/Forwarder/Enableareceiver

0 Karma
Reply

ss026381
Communicator
‎02-02-2018 01:04 PM

This is iptables rules problem I solved it by running following command ;

 iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 9997 -m comment --comment "splunk remote Listener" -j ACCEPT

Refer this page for more

0 Karma
Reply

sobhitakumarsah
New Member
‎04-24-2015 05:02 AM

qf@qan0030:~> /opt/splunkforwarder/bin/splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
sdvl5qtm001.td.teradata.com:8089
sdvl5qtm001:9997

I am also seeing the same problem, Please help me out how to resolve this issue.

my active forwards are none.

0 Karma
Reply

LCM
Contributor
‎01-05-2012 12:06 AM

You're having a UniversalForwarder and want to send data to another forwarder "HeavyForwarder" right? The command splunk list forward-servers shows you only, if the connection from UniversalForwarder to "HeavyForwarder" has been established. In this case there is no established connection - HeavyForwarder does not accept input from your UniversalForwarder!

Make sure you've setup receiving on server 10.251.1.1 (incl. listening on port 6996) correctly. While starting up your UniversalForwarder open on both (UniversalForwarder & HeavyForwarder) servers the logfiles -> $SPLUNK_HOME/var/log/splunkd.log

What does the log telling you?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...