Security

Noob - Can't add TCP Port 9997 - Error in handler 'raw'

franklovecchio
New Member

So, I'm new, and having a bit of trouble 🙂

I have a Splunk instance running, we'll call it my server (can access GUI), that I'm trying to configure to listen on port 9997. I have another box which is setup as a "forwarder", and to configure it, I ran "splunk add forward-server serverIP:9997" and "splunk set splunkd-port 9997" (I changed the mgmt port because not changing it didn't work either).

So, from the GUI on the server, I click "Manage", "Data Inputs", "TCP", and I try to add a new port to receive data on (9997). When I say add syslog from all incoming hosts on this port, I get the error "Encountered the following error while trying to save: In handler 'raw': Parameter name: TCP port 9997 is not available". Why would this be? I'm on amazon ec2, and definitely have the ports 9997, 8000, and 8089 opened. Please help!

Tags (2)
0 Karma

Ayn
Legend

You're mixing different types of inputs here. I'm unsure as to whether that in itself would cause the problems you describe, but when receiving forwarded data from another Splunk instance, you should configure a corresponding receiver rather than a 'raw' data input. Go to Manager -> Forwarding and receiving -> Configure receiving -> Add new. Since you have established connections on port 9997 on the server it seems someone might already have done this!

netwrkr
Communicator

netstat -tnap | grep 9997

anything else currently bound to that port?

0 Karma

franklovecchio
New Member

On forwarder:
ttcp 0 0 0.0.0.0:9997 0.0.0.0:* LISTEN 14095/splunkd

tcp 0 0 FORWARDERIP:33750 SERVERIP:9997 TIME_WAIT -

tcp 0 0 FORWARDERIP:32878 SERVERIP:9997 ESTABLISHED 14095/splunkd

tcp 0 0 FORWARDERIP:33749 SERVERIP:9997 TIME_WAIT -

tcp 0 0 FORWARDERIP:33751 SERVERIP:9997 ESTABLISHED 14095/splunkd

0 Karma

franklovecchio
New Member

I don't think so - looks about right to me!

On server:
tcp 0 0 SERVERIP:9997 FORWARDERIP:33749 ESTABLISHED 10923/splunkd

tcp 0 0 SERVERIP:9997 FORWARDERIP:32878 ESTABLISHED 10923/splunkd

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...