×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
salc
Explorer
Member since: ‎02-25-2026
‎02-26-2026
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎02-25-2026
View All

Re: Heavy Forwarders not showing in Agent Manageme...

by in Deployment Architecture
‎02-26-2026 10:30 AM
‎02-26-2026 10:30 AM
Splunk Support nailed it on the first try -- great work Angel Godinez!  When I was adding the servers to the monitoring console a suggestion appeared in the Web UI similar to "servers are storing their own internal logs, switch it to the indexers"  .. so on all of the servers, I configured the 3 indexers in forwarding and receiving under "configure forwarding". Here's what support suggested (which worked):     Missing Internal Index Data: Since version 9.2, the DS requires three internal indexes ( _dsphonehome ,  _dsclient , and  _dsappevent ) to be populated locally to show clients in the UI and CLI. If your DS is configured to forward all data to indexers, it may be "forgetting" the clients immediately after they connect. 1. Enable Local Indexing on the Deployment Server To ensure the DS retains the metadata required to show your Heavy Forwarders, please add the following to your Deployment Server's  $SPLUNK_HOME/etc/system/local/outputs.conf  and restart Splunk: [indexAndForward] index = true selectiveIndexing = true ... View more

Re: Heavy Forwarders not showing in Agent Manageme...

by in Deployment Architecture
‎02-26-2026 08:18 AM
‎02-26-2026 08:18 AM
Hey there, thanks for the suggestion;  I forgot to mention -- this is a brand new install using 10.2 - so probably not relevant for me.  I opened a support case also - so we'll see how that goes 🤞 Thanks!   ... View more

Heavy Forwarders not showing in Agent Management o...

by in Deployment Architecture
‎02-25-2026 11:56 AM
‎02-25-2026 11:56 AM
I'm running Version 10.2.0, Build: d749cb17ea65  -- on RHEL 10 as a Systemd service I've registered 2 Heavy Forwarders with a Deployment Server but I'm not seeing them show up in Agent Management.  Things I've checked: - all host firewalls are configured correctly; tested temporarily disabling also with no luck - no selinux issues seen in /var/log/audit/audit.log   On the deployment server, I am seeing both heavy forwarders connecting:   /opt/splunk/var/log/splunk/splunkd_access.log: 10.4.0.32 - - [20/Feb/2026:16:41:56.627 -0500] "POST /services/broker/phonehome/connection_10.4.0.32_8089_sec-splhf-prd2.domain.com_sec-splhf-prd2_linux-x86%2564_EE8DB183-659C-47E2-8166-05C9B6CB8B8F_EE8DB183-659C-47E2-8166-05C9B6CB8B8F HTTP/1.1" 200 477 "-" "Splunk/10.2.0 (Linux 6.12.0-124.38.1.el10_1.x86_64; arch=x86_64)" - - - 1ms 10.4.0.32 - - [20/Feb/2026:16:42:56.635 -0500] "POST /services/broker/phonehome/connection_10.4.0.32_8089_sec-splhf-prd2.domain.com_sec-splhf-prd2_linux-x86%2564_EE8DB183-659C-47E2-8166-05C9B6CB8B8F_EE8DB183-659C-47E2-8166-05C9B6CB8B8F HTTP/1.1" 200 35 "-" "Splunk/10.2.0 (Linux 6.12.0-124.38.1.el10_1.x86_64; arch=x86_64)" - - - 0ms .. .. 10.4.0.31 - - [20/Feb/2026:16:47:31.639 -0500] "POST /services/broker/phonehome/connection_10.4.0.31_8089_sec-splhf-prd1.domain.com_sec-splhf-prd1_linux-x86%2564_AB8B7A26-21A4-4B2A-A91B-52AAA16482CE_sec-splhf-prd1 HTTP/1.1" 200 447 "-" "Splunk/10.2.0 (Linux 6.12.0-124.38.1.el10_1.x86_64; arch=x86_64)" - - - 1ms 10.4.0.31 - - [20/Feb/2026:16:48:31.646 -0500] "POST /services/broker/phonehome/connection_10.4.0.31_8089_sec-splhf-prd1.domain.com_sec-splhf-prd1_linux-x86%2564_AB8B7A26-21A4-4B2A-A91B-52AAA16482CE_sec-splhf-prd1 HTTP/1.1" 200 447 "-" "Splunk/10.2.0 (Linux 6.12.0-124.38.1.el10_1.x86_64; arch=x86_64)" - - - 2ms    /opt/splunk/var/log/splunk/splunkd.log: 02-20-2026 16:44:03.538 -0500 INFO PubSubSvr [786945 TcpChannelThread] - Subscribed: channel=tenantService/handshake/reply/sec-splhf-prd1/AB8B7A26-21A4-4B2A-A91B-52AAA16482CE connectionId=connection_10.4.0.31_8089_sec-splhf-prd1.domain.com_sec-splhf-prd1_linux-x86%64_AB8B7A26-21A4-4B2A-A91B-52AAA16482CE_AB8B7A26-21A4-4B2A-A91B-52AAA16482CE listener=0x7ff2a47fb800 02-20-2026 16:45:19.721 -0500 INFO PubSubSvr [788090 TcpChannelThread] - Subscribed: channel=tenantService/handshake/reply/sec-splhf-prd1/sec-splhf-prd1 connectionId=connection_10.4.0.31_8089_sec-splhf-prd1.domain.com_sec-splhf-prd1_linux-x86%64_AB8B7A26-21A4-4B2A-A91B-52AAA16482CE_sec-splhf-prd1 listener=0x7ff290110800  on the deployment server when I run:   sudo -u splunk /opt/splunk/bin/splunk list deploy-clients  WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. No deployment clients have contacted this server.    I configured both heavy forwarders to point to the deployment server using: sudo -u splunk /opt/splunk/bin/splunk set deploy-poll sec-spldpl-prd1.domain.com:8089 There could be a bug here, since the 1st time I ran the command it prompted for credentials, and only generated deploymentclient.conf with: [target-broker:deploymentServer] Running it a 2nd time resulted in: [target-broker:deploymentServer] targetUri = sec-spldpl-prd1.example.com:8089 (I restarted Splunkd service after) According to the documentation: The deploymentclient.conf file requires two stanzas: [deployment-client] [target-broker:deploymentServer]   Based on this, I edited the file and added the missing stanza: [deployment-client] [target-broker:deploymentServer] targetUri = sec-spldpl-prd1.example.com:8089 .. no luck.. I have a server class configured on the deployment server and also created an empty application (base_connectivity) .. subsequently Splunk seems to have autocreated "splunk_ingest_actions"   Any ideas?   I've got a 9 server configuration: 2 search heads 3 indexers 2 Heavy Forwarders 1 Deployment Server 1 Combo Server (license manager, cluster manager, monitoring console)               ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-26-2026 07:29 AM