Re: UF splunkd.log says "Can't find or illegal IP ...

valkyrie · ‎08-15-2013

After manually installing splunkforwarder-5.0.3-163460-x64-release.msi on Windows Server 2008 R2 and specifying index server DN "bhbs-splunk" or FQDN "bhbs-splunk.bhbt.local" the Forwarder does not show up in the Splunk index server. The UF's splunkd.log shows repeated "08-15-2013 08:12:52.986 -0400 ERROR TcpOutputProc - Can't find or illegal IP address or Name: #bhbs-splunk"

I can nslookup "bhbs-splunk" and "bhbs-splunk.bhbt.local" and ping them from the UF, also nmap on the UF shows that bhbs-splunk is listening on the default port. The Windows Firewall is disabled on the UF server, and the UF and the Splunk indexer are in the same subnet, and even the same switch.

The only way I can get the Fwdr to show up on the indexer without a splunkd error is to use the indexer's IP address when installing the UF. This happens 50% of the time after installing the UF msi on x64 or x86 Windows Servers.

splunkranger · ‎03-04-2014

Did you find a solution? I am seeing the same issue.

cleelakrishna · ‎04-18-2020

add same hostname in serverclass.conf , that it has in $splunk_HOME/etc/system/local/inputs.conf

UF splunkd.log says "Can't find or illegal IP address or Name" using DN or FQDN

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...