Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk-edge not listening on port 9997

FPERVIL
Explorer
‎10-21-2024 07:52 AM

I recently installed a Splunk Edge Processor and i noticed it's not listening on port 9997.  I can see it as a node on the Splunk Cloud Platform but I can't send on-prem data from my universal forwarders to it because it's not listening to port 9997.

 

When I check the ports that it's currently listening to, here are the results:
ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:44628 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:161 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:37139 0.0.0.0:* users:(("edge_linux_amd6",pid=28942,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:8888 0.0.0.0:* users:(("edge_linux_amd6",pid=28942,fd=8))
tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* users:(("splunkd",pid=983,fd=4))
tcp LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:44001 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:43335 0.0.0.0:* users:(("edge_linux_amd6",pid=28942,fd=3))
tcp LISTEN 0 128 127.0.0.1:199 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:1777 0.0.0.0:* users:(("edge_linux_amd6",pid=28942,fd=11))
tcp LISTEN 0 2048 192.168.66.120:10001 0.0.0.0:*
tcp LISTEN 0 2048 127.0.0.1:10001 0.0.0.0:*

As you can see, 9997 is not in there.  I confirmed the shared settings for this node to make sure that it's expected to receive data on that port:

 

Splunk forwarders

The Edge Processor settings for receiving data from universal or heavy forwarders.

Port
9997
Maximum channels
The number of channels that all Edge Processors can use to receive data from Splunk forwarders.
The number of channels that all Edge Processors can use to receive data from Splunk forwarders.
300
 
Any clues as to why this is happening?
Labels (1)
Labels
Tags (1)
0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎10-21-2024 08:18 AM

Hello @FPERVIL  looks like there its not listening on 9997, may be in issue during the start up of EP. Did you already deploy a pipeline?

Have you tried to check edge.log to verify if there are specific errors.?

 

 

 

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply

FPERVIL
Explorer
‎10-21-2024 09:20 AM

Yes...this is my 1st deployment of this node.  I installed the software on a linux VM and at a minimum I would think it would be listening and waiting for data via port 9997.  It's definitely connecting to the cloud on that port. 

I don't see anything in the edge.log file that would indicate why it's not listening on that port.  I do see the following but not sure what it may be referring to:

"message":"current settings have previously caused failures. aborting update","type":"provided","status":"failed"},{"time":"2024-10-21T16:16:37.959Z","settings_id":"3080980952365928851","type":"telemetry","status":"running"}]}}

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...