I have installed splunk on machine 1 and universal forwarder on machine 2. I can see on forwarder: C:\Program Files\SplunkUniversalForwarder\bin>splunk list forward-server Active forwards: XXX.XX.XX.XXX:9997 Configured but inactive forwards: None however when i go and check in splunk, i don't see any forwarder details. the C:\Program Files\Splunk\etc\system\local\inputs.conf is like below. [default] host = <IP of machine where splunk is installed> [splunktcp://:9997] disabled = 0 The outputs.conf on forwarder is like below [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = <receiverIP>:9997 [tcpout-server://<receiverip>:9997] I checked in splunkd logs in forwarder, there is no error corresponding to tcpout. I am able to telnet on 9997 port from forwarder to receiver Please advise. ... View more

Hi Splunk Team, We have installed splunk tool on a windows server 2003 machine say A and Splunk forwarder on another windows server 2008R2 machine say B. Following default ports have been opened between them. 9997,8089 ,8000 The above ports are opened only as outbound connectivity from source to destination. We have checked the input and output configuration files too. However we are still unable to detect the forwarder in the splunk tool. Please see the below conf files and snapshot of log files too. Let us know if anything else is required. Input.conf (splunk from Machine A) [default] host = <machine A> # added from below [tcp://<machine B IP >:9997] disabled = 0 `[tcp] acceptFrom=* connection_host=ip` Pls see error msg in splunkd log from machine B where forwarder is installed. 03-20-2013 10:25:19.465 -0400 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected 03-20-2013 10:25:31.477 -0400 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected 03-20-2013 10:25:43.490 -0400 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected 03-20-2013 10:25:55.502 -0400 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected 03-20-2013 10:26:07.514 -0400 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: rejected 03-20-2013 10:26:16.702 -0400 WARN PubSubConnection - Cannot convert str: to a valid status, returning eRejected. Please HELP. Thanks in advance. Thanks Shivanshu ... View more

We ar trying to connect our forwarder installed on one of the windows server to splunk installed on another windows server. However spluink is n0t showing active forwarders connected. Even the splunk list forward-server command is giving below error when run on forwarder. Please help SplunkUniversalForwarder\bin>splunk list forward-server Operation "ospath_fopen" failed in .\conf-mutator-locking.c:254, conf_mutator_lo ck(); No error Conf mutator lockfile has PID 4036, but my PID is 4892; error condition likely ... View more