Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What issue would cause a heavy forwarder to show a status of "SplunkForwarder UNCONFIGURED ENABLED"?

msantich
Path Finder
‎11-11-2014 09:16 AM

we're in the process of investigating why our heavy forwarders are not forwarding events from the myriad universal forwarders to our indexer.

in the diagnostic process we ran ./splunk display app from one of our heavy forwarders. the results show:
SplunkForwarder UNCONFIGURED ENABLED.

can anyone explain what issue we might have that causes the status to show UNCONFIGURED, yet enabled.

we're missing something......

thanks in advance.

michaelS

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

View solution in original post

Reply
Solved! Jump to solution
Solution

msantich
Path Finder
‎11-11-2014 11:46 AM

ANSWERED, but still curious.

although the output of the list forward-server showed all active forwards correctly, we re-issued the add forward-server command and now the events are correctly being forwarded.

there must be something subtle that requires that the add forward server command be run even though all forward servers are already configured.....

if anyone can comment on this...we'd appreciated it..

anyway, we're up now....thanks all.

Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 10:04 AM

Splunk heavy forwarders had been working....recent upgrade of OS (Linux) and re-create of forwarder results in heavy forwarders NOT relaying events from lower tier universal forwarders
we're just missing something on re-create effort

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:52 AM
  • deployment monitor shows forwarders are "connecting" to indexer
  • events generated locally on the forwarders ARE getting to the indexer.
  • Only events from universal forwarders are not getting though.

from universal forwarders, list forward-server shows the heavy forwarder and indexer OK.

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎11-11-2014 09:44 AM

Thanks much....version 4.2.5

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...