On Monday, I applied a reset license, as the indexing got out of hand last week and seemed to be indexing duplicate logs files.
Now today, when I check the pool, it says this:
No indexers have reported into this pool today
I've restarted all the Splunk Forwarders on the servers (8 total). I've restarted the splunk server. This was all working and functional previously. Firewalls are configured to allow port 9997.
Any ideas on what the issue is?
I made no changes to the inputs.conf files on the forwarders. The only change I made was to the props.conf on the indexer. I just went to double check the settings in \default\props.conf and the file was empty! That seems to be the source of the problem. Not sure how that happened, but I reverted the file back and now I see events being indexed as expected.
Thanks LUKEJADAMEC for sparking me to look in the right spot!
Did you make changes to the inputs.conf files to correct for the indexing overload?
Are you getting messages in the forwarders splunkd.log files that say the something to the effect that 'connection to the indexer was refused'?