Getting Data In

splunk stopped forwarding...

Contributor

I have a simple setup. A light forwarder, forwarder and an indexer. The light forwarder stopped working about 5 days ago. Now the registration did expire on all three systems. Would that explain why the forwarding stopped working? Nothing was changed or altered on the systems to my knowledge.

The only trouble shooting steps I've taken were to change the license files of the forwarder and light forwarder to licensed forwarders I just copied the licensed files, they are still not registered.

Any idea what I need to do to get my log files forwarded to the indexer again? Thanks in advance.

Tags (1)
0 Karma
1 Solution

Communicator

What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?

You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.

2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log

HTH's - Otherwise let me know what happens next?

V.

ps..Spaces count

View solution in original post

Communicator

What OS'es are you usings for the indexer and or LWF's ? The license issue should be addressed immediately. That could account for the the loss of the LWF functionality. Did you restart the splunk indexer and LWF daemons after you made the licensing changes and or enabled LWFing?

You can verify that your Splunk indexer is accepting connections to your recieving port by 1) testing the connection, by "Telnet ServerIPaddress ListeningPort or 1.2.3.4 9999" from LWF to Splunk indexer.

2) Verify IF your IP addess has established a connection with your indexer by netstat -an | more or netstat -an > myportconns.log

HTH's - Otherwise let me know what happens next?

V.

ps..Spaces count

View solution in original post

Communicator

Pardon what version are you using? Are you using a specific index to forward the information from the LWF to the Forwarder/ Main Splunk indexer server? If not look at the index it is using and query that index from the Splunk server. Have you looked at the splunk logs on the LWforwarder * Default? /opt/splunk/var/logs?)

0 Karma

Contributor

The O/S is RH5-64. The license issue has been addressed. However, this instance of Splunk still does not seem to accept data from forwarders or light forwarders. The ports on the indexer are on and listening and there is no firewall in between the host and the indexer. I run a TCP Dump on the indexer and I see data from the light forwarder. However I can't seem to query the data.

Does this have anything to do with the licensing at this time? We have applied a license to the indexer though.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!