Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why isn't Splunk working with a new forwarder client?

AllenRed
New Member
‎12-31-2014 04:25 PM

I have Splunk working on one server (an indexer) with one other server as its client (with the Universal forwarder). All my machines are Linux. I want to get Splunk to work with an additional client.

It seems like port 9997 is closed on my network. At this time of year, I cannot get someone to determine if it is open or not. iptables doesn't block this port on either machine (the client forwarder that I want to get working or the Splunk server). I installed telnet on both machines.

On the forwarder I want to get working for the first time, the output of this command (from /opt/splunkforwarder/bin/) is nothing:

 # ./splunk cmd btool output list --debug

The output of this command from /opt/splunkforwarder/bin/ (from a client server that is not yet a forwarder),

 # ./splunk cmd btool inputs list splunktcp --debug

is as follows:

 /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf [splunktcp]
 /opt/splunkforwarder/etc/system/default/inputs.conf                        _rcvbuf = 1572864
 /opt/splunkforwarder/etc/system/default/inputs.conf                        acceptFrom = *
 /opt/splunkforwarder/etc/system/default/inputs.conf                        connection_host = ip
 /opt/splunkforwarder/etc/system/local/inputs.conf                          host = cooltest.domainName.cloud
 /opt/splunkforwarder/etc/system/default/inputs.conf                        index = default
 /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/inputs.conf route = has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue

On the main Splunk server, I did a tail of the splunkd.log file. I found this:

12-31-2014 16:12:28.663 -0800 ERROR TcpOutputFd - Connection to host=x.x.x.x:80 failed
12-31-2014 16:12:58.665 -0800 WARN  TcpOutputFd - Connect to x.x.x.x:80 failed. Connection refused

Where x.x.x.x is the IP address of the client server that I want to forward. nmap showed that port 80 was blocked between the servers.

On the client server (that I want to be a forwarder), I did a tail of the splunkd.log file. I found this:

01-01-2015 00:16:47.426 +0000 ERROR TcpOutputFd - Connection to host=y.y.y.y:9997 failed
01-01-2015 00:16:48.429 +0000 WARN  TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 9600 seconds.
01-01-2015 00:17:17.428 +0000 WARN  TcpOutputFd - Connect to y.y.y.y:9997 failed. Connection refused

Where y.y.y.y is the IP address of main Splunk server.

What should I do to get Splunk working with this client server? I want the client server to be a forwarder.

0 Karma
Reply

ddrillic
Ultra Champion
‎12-31-2014 05:50 PM

No good – no connectivity ... did you put the port as well in the telnet command?

0 Karma
Reply

AllenRed
New Member
‎12-31-2014 05:34 PM

The first step would be to run from
the client the following - telnet
'splunk server host' 9997

I get this:

Trying x.x.x.x...
telnet: connect to address x.x.x.x: Connection refused

where x.x.x.x is the IP address of the main Splunk server (aka the indexer).

0 Karma
Reply

ddrillic
Ultra Champion
‎12-31-2014 04:36 PM

The first step would be to run from the client the following -
telnet 'splunk server host' 9997

Regards,
Dan

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...