Re: Heavy Forwarder missing

MakszimM

Hello!

We have a Splunk Cloud, for which we set up two on-prem components:
-Heavy forwarder( To route all file based logs through it as an intermediate forwarder to Splunk Cloud)
-Deployment server( To configure UF's)

We have downloaded the uf credential package, and set it up as an app, which we pushed it down to the heavy forwarder, to test if _internal logs appear, which they do, but I do not see the HF listed as a client on my Forwarder management page anymore.

Here comes the tricky part( if i delete a serverclass, the _internal logs disappear, so it still communicates, and i can see the deployment server listed if i push the command from HF: splunk show deploy-poll, but see nothing on DS if i push:
splunk list deploy-clients

On the HF, deploymentclient.conf is configured correctly.

Any ideas?

Thanks!

MakszimM

HF can communicate with DS , no network issues.

No UF's have been configured yet.

VatsalJagani

@MakszimM - Look at your outputs.conf as I mentioned in my answer. This is the issue I think you are having.

VatsalJagani

@MakszimM - Do you see other UFs connected to Forwarder Management UI??

If no UFs and HF is visible then you need to fix this: (outputs.conf selective forwarding missing issue)

Data not appearing in forwarder management UI
https://help.splunk.com/en/splunk-enterprise/administer/update-your-deployment/9.4/configure-the-dep...

If the issue is only with HF then it might be Network connectivity related.

From HF to DS on 8089 port

I hope this helps!!! Kindly upvote if it does!!

Heavy Forwarder missing

configuration

installation

troubleshooting

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation