Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New HF has all blocked queues in minutes?

IngmarHicoz
Engager
‎02-20-2023 02:43 AM

Hello Splunk Community! I have an ec2 instance of Windows Server 2022 with Splunk Enterprise (9.0.4) installed. Within a few minutes of installing, all of the processing queues are 100% blocked and it places all indexers on quarantine. It is currently outputting to 3 different indexers, and the only logs it is supposed to send is internal logs. I am 100% positive the indexers are not the issue. I think the problem is potentially a connection issue to these indexers as I cannot ping these machines. There is no firewall blocking traffic in between them, so thinking it might be an issue with a setting in server 2022 somewhere.

I made sure to install through Admin CMD line, and for testing, this ec2 has all outbound connections open. Does anyone have any ideas or have seen this before? I had this happen on another box but messing with CMD line and different install flags it finally started working but it seems like no matter what flags I use it doesn't work.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-20-2023 03:24 AM

If you suspect the network issues, verify the connectivity "the usual way".

Go onto your HF machine and try to connect to your indexers to the input port (usually 9997) and see if it works. If it does, check your _internal log on the indexers for any messages regarding the HF's IP. If it does not... well hard to say without knowing your machines and network setup but generally - something mus be blocking traffic.

Oh, and verify that your indexers do listen on the incoming traffic - I hope someone hasn't configured your boxes to listen on loopback only 🙂

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 03:07 AM

Hi @IngmarHicoz,

are you receiving internal logs on Indexers?

have you network congestion issues?

what are the hardware onfigurations on Indexers?

Then I saw only test or little environment based on Windows, never production or large environments, only on Linux!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...