Splunk Universal Forwarder won't forward events(or...

shahara · ‎04-20-2015

Hi All,

I'm currently implementing a new installation of Splunk.
Single-Server-Scenario server that will have forwarders forwarding data into it.
I'm trying to install the Windows Infrastructure App.
I began by installing the Universal Forwarders and setting a sendtoindexer app.
Here are the configurations in the outputs.conf of the sendtoindexer app:

[tcpout]
defaultGroup = splunkindexers

[tcpout:splunkindexers]
server = splunkprod:9997

[tcpout-server://splunkprod:9997]

Nothing appears in the relevant indexes and i get the following error when i go into the Splunk system activity page:

04-20-2015 15:10:50.415 +0300 ERROR TcpOutputFd - Connection to host=192.168.XX.XXX:9997 failed

Please assist ASAP, any feedback will be helpful...

Thanks a lot!!!
Shahar

malmoore · ‎04-21-2015

Confirm that Windows Firewall isn't silently eating packets on both the client and the server.

shahara · ‎04-20-2015

Of course, It's configured to receive on this port.
Additionally, when i use telnet to the splunk server using 9997 i get an answer.

Thanks,
Shahar

schose · ‎04-20-2015

Hi,

is the Splunk server configured for receiving events?! check settings->forwarding and receiving->configure receiving ...

Can you establish a tcp connection from client to server on tcp/9997 (from client: telnet server 9997)

Cheers,

Andreas

Splunk Universal Forwarder won't forward events(or indexer won't receive)

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM