indexer configured but inactive on new Linux serve...

prathyusha_99 · ‎06-18-2014

I have been working on configuring splunk on the new Linux servers that were added to our environment. I ran into some issues and would appreciate if you can help me with these. The splunk server installed in our environment is version 4.1.3. I have installed splunkforwarder-6.1 on the linux server and configured it to forward to the indexer. When I list the forward servers, It shows the indexer as configured but inactive. I have checked all the input.conf and output.conf files on the forwarder. Is this any issue of incompatibility between splunk 4.1 and splunkforwarder-6.1?
What is the best way to make this work ? update my indexer?

linu1988 · ‎06-18-2014

Splunk 6 forwarders are not compatible to 4.x indexers..

http://docs.splunk.com/Documentation/Splunk/6.1.1/Forwarding/Compatibilitybetweenforwardersandindexe...

prathyusha_99 · ‎06-18-2014

Sorry, typo its inputs.conf

From the metrics log it looks like its trying and failing. I don't see any erroe message why is it failing.

06-18-2014 13:11:01.595 -0400 INFO StatusMgr - destHost=XXXXX, destIp=XXXX, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
06-18-2014 13:11:08.452 -0400 INFO StatusMgr - destHost=XXXX, destIp=XXXX, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

indexer configured but inactive on new Linux servers

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services