indexer configured but inactive on new Linux serve...

prathyusha_99 · ‎06-18-2014

I have been working on configuring splunk on the new Linux servers that were added to our environment. I ran into some issues and would appreciate if you can help me with these. The splunk server installed in our environment is version 4.1.3. I have installed splunkforwarder-6.1 on the linux server and configured it to forward to the indexer. When I list the forward servers, It shows the indexer as configured but inactive. I have checked all the input.conf and output.conf files on the forwarder. Is this any issue of incompatibility between splunk 4.1 and splunkforwarder-6.1?
What is the best way to make this work ? update my indexer?

linu1988 · ‎06-18-2014

Splunk 6 forwarders are not compatible to 4.x indexers..

http://docs.splunk.com/Documentation/Splunk/6.1.1/Forwarding/Compatibilitybetweenforwardersandindexe...

prathyusha_99 · ‎06-18-2014

Sorry, typo its inputs.conf

From the metrics log it looks like its trying and failing. I don't see any erroe message why is it failing.

06-18-2014 13:11:01.595 -0400 INFO StatusMgr - destHost=XXXXX, destIp=XXXX, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
06-18-2014 13:11:08.452 -0400 INFO StatusMgr - destHost=XXXX, destIp=XXXX, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

indexer configured but inactive on new Linux servers

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation