Splunk Search

ACK not enabled on Forwarder

rmcdougal
Path Finder

Since I have upgraded to version 5.0 I keep receiving the above message in the yellow bar at the top of the web gui. My question is twofold, is this intended and if so how can I disable this, or is this a bug.

Tags (1)

Steve_G_
Splunk Employee
Splunk Employee

Have you enabled clustering on your indexer? If so, that warning message will appear if you're receiving data from a forwarder that doesn't have indexer acknowledgement enabled. You can ignore the warning, although for most purposes it's recommended that you do use indexer acknowledgement with clustered indexers.

See: http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Useforwarderstogetyourdata#How_indexer_ackno...

bfernandez
Communicator

If it is a configuration option, disabled by default. Why it warns the administrator? Are there any workaround to avoid just only this alerts?

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...