No indexers have reported into this pool today

verifybrand · ‎01-29-2014

On Monday, I applied a reset license, as the indexing got out of hand last week and seemed to be indexing duplicate logs files.
Now today, when I check the pool, it says this:

I've restarted all the Splunk Forwarders on the servers (8 total). I've restarted the splunk server. This was all working and functional previously. Firewalls are configured to allow port 9997.

Any ideas on what the issue is?

verifybrand · ‎01-29-2014

I made no changes to the inputs.conf files on the forwarders. The only change I made was to the props.conf on the indexer. I just went to double check the settings in \default\props.conf and the file was empty! That seems to be the source of the problem. Not sure how that happened, but I reverted the file back and now I see events being indexed as expected.

Thanks LUKEJADAMEC for sparking me to look in the right spot!

lukejadamec · ‎01-29-2014

Did you make changes to the inputs.conf files to correct for the indexing overload?
Are you getting messages in the forwarders splunkd.log files that say the something to the effect that 'connection to the indexer was refused'?

No indexers have reported into this pool today

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!