Re: indexer configured but inactive on new Linux s...

prathyusha_99 · ‎06-18-2014

I have been working on configuring splunk on the new Linux servers that were added to our environment. I ran into some issues and would appreciate if you can help me with these. The splunk server installed in our environment is version 4.1.3. I have installed splunkforwarder-6.1 on the linux server and configured it to forward to the indexer. When I list the forward servers, It shows the indexer as configured but inactive. I have checked all the input.conf and output.conf files on the forwarder. Is this any issue of incompatibility between splunk 4.1 and splunkforwarder-6.1?
What is the best way to make this work ? update my indexer?

linu1988 · ‎06-18-2014

Splunk 6 forwarders are not compatible to 4.x indexers..

http://docs.splunk.com/Documentation/Splunk/6.1.1/Forwarding/Compatibilitybetweenforwardersandindexe...

prathyusha_99 · ‎06-18-2014

Sorry, typo its inputs.conf

From the metrics log it looks like its trying and failing. I don't see any erroe message why is it failing.

06-18-2014 13:11:01.595 -0400 INFO StatusMgr - destHost=XXXXX, destIp=XXXX, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
06-18-2014 13:11:08.452 -0400 INFO StatusMgr - destHost=XXXX, destIp=XXXX, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

indexer configured but inactive on new Linux servers

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...