We have set up "Splunk Forwarder Management" and apps are being successfully deployed to the clients that are polling the Splunk server on port 8089.
We have ensured the check-mark "Restart Splunkd" is checked for the apps being deployed. But strange this is the check-mark gets automatically unchecked. Not sure if this has anything to do with the problem, but logs stop getting forwarded from the clients and when we do "splunk list forward-server", we see that the splunk forwarder is marked "Configured but inactive forwards:"
After running "splunk restart" everything gets back to normal.
Question: What causes the forwarder to become inactive and stop forwarding logs?
... View more