Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to troubleshoot configuration mismatch in inpu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Background, I am not an engineer and have little engineering experience. In setting up my instance, I have a question about the .Conf files.
Search Head - x.x.x.25
Syslog Server - x.x.x.24
Indexer 1- x.x.x.23
if I'm forwarding syslog data on udp 514, I have the following:
inputs.conf
[udp://514]
connection_host=dns
index=syslog
sourcetype=syslog
outputs.conf
[syslog:syslogGroup]
server = x.x.x.23:9997
[tcpout:indexer1]
server:x.x.x.23:9997
When I run list forward-server, I get the following:
Active forwards: none
configured but inactive: x.x.x.23:9997
Any ideas how I got this mismatch and what I need to do do make them active? I currently have no issues with networking, no firewalls, and can openly ping between devices. Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your outputs.conf is misconfigured. It should be
[tcpout:group1]
server=x.x.x.23:9997
The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."
The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.
For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your outputs.conf is misconfigured. It should be
[tcpout:group1]
server=x.x.x.23:9997
The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."
The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.
For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright, I have that up.. but I think I figured out part of my problem in rsyslog.conf. Does the following look like I did this correctly?
if $fromhost-ip startswith 'x.x.x.23; then /var/log/rsyslog/devices.log
&~
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
