Hi,
After some days the Splunk server stop receiving input. The forwarders are not changed, but I did some changes on splunk server (can't remember what I did). Also know that the firewall does not cause of the problem. On server Splunk server we have also configured Splunk Uniiversal forwarder. So same server include both Splunk Enterprise + Splunk Universal forwarder.
Not sure, but I think it's some trouble with indexer since they cannot receive inputs. Have also verified that environment variables is ok. Also changed file permission on all filres/directories below Splunk_HOME. So it should be fine
On Splunk Universal clients (on clients), splunkd.log says that TcpOutProc is connected to Splunk Server. It also says that the Splunk server LISTEN to *:9997.
> ss -tnlup
tcp LISTEN 0 128 *:9997 *:* users(("splunkd",pid=170257,fd=41))
Assume telemytry data is sent to Splunkserver, but they are not indexed. One more information:
On Splunk server: Settings - Data - Indexes I can see that
_audit SplunkLighForwarder $SPLUNK_DB/audit/db status says disabled
_internal SplunkLighForwarder $SPLUNK_DB/_internal/db status says disabled
_introspection SplunkLighForwarder $SPLUNK_DB/_introspection/db status says disabled
_telemetry SplunkLighForwarder SPLUNK_DB/_telemetry/db status says disabled
history SplunkLighForwarder SPLUNK_DB/history/db status says disabled
main SplunkLighForwarder PLUNK_DB/history /default/db status says disabled
Assume it has something to do with wrong settings on Splunk server. Hope soemone out there can give me some usefull tips/hints. So we can use splunk again as normal.
Rgds
Geir J. H