Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot View data in Splunk Console

vivekg72
Explorer
‎09-01-2017 02:53 AM

Hi

I am new to Splunk and we have to complete POC . We have two server : Server A ( Index Server where Splunk Enterprise is installed ) and Server B where we have installed Forwarder and configure it to monitor one file system

Server B :

Server B $> splunk list forward-server
Splunk username: admin
Password:
Active forwards:
ServerA:9997
Configured but inactive forwards:
None

Server A :

Server A > lsof -i TCP:9997
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
splunkd 20810 svc_splunk_dev 48u IPv4 18875290 0t0 TCP *:palace-6 (LISTEN)
splunkd 20810 svc_splunk_dev 79u IPv4 18884788 0t0 TCP ServerA:palace-6->ServerB:53122 (ESTABLISHED)

ServerA # plunk list forward-server
Splunk username: admin
Password:
Active forwards:
None
Configured but inactive forwards:
None

Please advise

Tags (1)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-01-2017 06:09 AM

Has your forwarder ever sent data to Splunk? If not, have you enabled your Splunk Enterprise server to listen on port 9997?

You could also look under /opt/splunk/var/log/splunk/splunkd.log for errors

0 Karma
Reply

vivekg72
Explorer
‎09-01-2017 06:13 AM

Hi
No and there are no errors in splunkd.log file . Also Splunk Enterprise server to listen on port 9997 is configured

Thanks
vivek

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-01-2017 08:25 AM

Do you have an outputs.conf defined on your forwarder which is pointing to your Splunk enterprise instance? If so, have you tested the connection between the two servers to verify there is not a firewall blocking them?

0 Karma
Reply

vivekg72
Explorer
‎09-01-2017 08:31 AM

Hi,

yes . We have output.conf file on forwarder server

ServerB #cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = ServerA:9997

[tcpout-server://ServerA:9997]

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-02-2017 05:05 AM

Did you restart splunkd after making changes to the conf files? Have you verified via telnet that your forwarder can connect to your Splunk instance? What is the location of your outputs.conf?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2017 05:11 AM

Hi vivekg72,
what is your question?

To send logs from a forwarder to an indexer see at https://docs.splunk.com/Documentation/Splunk/6.6.3/Data/WhatSplunkcanmonitor

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...