Getting Data In

Connection issues: when I created a new indexer, our data is not showing up.

snallam123
Path Finder

There are a couple of indexes in inputs.conf.

I just added a new index with a new port. All other indexes are working fine and servers can send data to indexes. The problem is with the newly added one. When I do telnet from universal forwarder to indexer, all other ones are establishing a connection, but I can't establish a connection to the new one.

Am I missing something here? Can someone figure out where the problem is?

Thanks a lot in advance.

0 Karma
1 Solution

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

View solution in original post

0 Karma

bpadmanbhachari
Splunk Employee
Splunk Employee

If telnet is not connecting to new indexer then you need to check two things.
1. Check if port is enabled on forwarder and indexer using "netstat -an |grep "port" command.
2. Check if you have any third party firewall on indexer end refusing the connection.
3. If port is fine and enabled check if you have enabled receiving on indexer end for that port. On indexer GUI>> settings >> forwarding and receiving >> receiving >> enable the port.

0 Karma

ddrillic
Ultra Champion

The following can help I can't find my data!

0 Karma

MuS
SplunkTrust
SplunkTrust

Check on the indexer if to port is open (assuming *nix so use `netstat -an | grep )
Check if there is a local firewall blocking the new port on the indexer
Check if any other firewall is blocking the connection from your uf to the idx

cheers, MuS

0 Karma

snallam123
Path Finder

@MuS Thanks for comment, Source and dest servers are connected locally. When created last indexes i did not open any port, But connections went well. The port number i am using is not open but i heard from network guys like when i get data on that port it should be fine.

0 Karma

MuS
SplunkTrust
SplunkTrust

I quite don't get it want you are saying here ¯\_(ツ)_/¯

First you say you cannot connect, then the servers are connected locally but no port open?

So, does it work now or not?

0 Karma

snallam123
Path Finder

Sorry for confusion, Out of 9 indexes one is not working, did same configuration for all. all indexes are having different ports [6581-6590]. No firewall for these servers(contacted with network team).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...