Hi, I'm a trial user for Splunk. I have a setup in Azure: One Azure VM running Splunk Enterprise and four Azure VMs with Universal Forwarders that should send a data to Enterprise server. I can see those instances listed in Enterprise server in Forwarder Management, but UFs are not sending any data. Ports 9997 and 8089 are open both inbound and outbound in servers with UF and in the server running Enterprise server. Also they are opened in Azure NSG for all VMs. When looking splunkd in servers with UF, the handshake is done and the enterprise server IP is accessed. When restarting UF, it shows that all is fine - port is open etc. But nothing more is happened. I can't see other VMs with UF as host when searching "index = _*", only the one which is running Enterprise, i.e. itself. I don't know anymore how to troubleshoot further. Earlier it gathered events from the server running Enterprise, but not anymore. It captured 6928 events and nothing has happened after that. There is a warning as in the picture attached. Any ideas? Thanks!
... View more