Hi @ahmemohs03,
So after the other comments think I know what part of the issue is...
Splunk by default does not have the listening ports enabled i.e. 9997. So you will need to edit the inputs.conf file and insert then restart splunkd:
[splunktcp://9997]
connection_host = dns
Note: By default Splunk will use "connection_host = ip" meaning that the "host" field will come up as the IP address and not use the DNS name...
Note 2: You could also use the command line to enable the listening port:
/opt/splunk/bin/splunk enable listen 9997
Confirm the configuration by the command line via:
/opt/splunk/bin/splunk display listen
Note: You will have to login but you should see the following line (or whatever port you enabled)
Receiving is enabled on port 9997.
The "X509Verify" message is more of a hint/tip that for enterprises or for production use, you should use a proper PKI solution (Certificates) either from a 3rd-party or if you have your own Certificate Service then use that. As the Splunk CA is one that gets shipped out in every download and as such the communications aren't as secure...
For in the logs on your Linux A system (Splunk Enterprise) you should see something similar to the below lines for the various port inputs usually after all of the "HotDBManager" & "IndexWriter" messages...
07-22-2018 12:49:57.748 +1000 INFO TcpInputConfig - IPv4 port 517 is reserved for raw input
07-22-2018 12:49:57.748 +1000 INFO TcpInputConfig - IPv4 port 517 will negotiate s2s protocol level 4
07-22-2018 12:49:57.748 +1000 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk
07-22-2018 12:49:57.748 +1000 INFO TcpInputConfig - IPv4 port 9997 will negotiate s2s protocol level 4
07-22-2018 12:49:57.754 +1000 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 514 with Non-SSL
07-22-2018 12:49:57.755 +1000 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 515 with Non-SSL
07-22-2018 12:49:57.768 +1000 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 516 with Non-SSL
07-22-2018 12:49:57.768 +1000 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 517 with Non-SSL
07-22-2018 12:49:57.768 +1000 INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port 9997 with Non-SSL
Regarding the web GUI on Linux A, any configuration on Linux B will have zero effect upon this... What I would say is confirm that the user that which Splunk is running under has permissions to open ports, or has ownership of the entire "/opt/splunk/" folder structure.
For this would you mind sending in what your web.conf looks like, also check your splunkd.log for any errors, I believe if you look after the "TailReader" / "TailingProocessor" entries there should be couple items from "loader" talking about REST HTTP server, then two X509Verify entries... If there are issues this is where it probably will mention what is causing the web gui from working. Could possibly need to look at your mongod.log file as well to make sure that it starting correctly (esp. if you have changed the sslPassword setting within server.conf):
...
07-22-2018 12:50:05.910 +1000 INFO TailingProcessor - Adding watch on path: /var/adm.
07-22-2018 12:50:05.910 +1000 INFO TailingProcessor - Adding watch on path: /var/log.
07-22-2018 12:50:05.917 +1000 INFO loader - Limiting REST HTTP server to 1365 sockets
07-22-2018 12:50:05.917 +1000 INFO loader - Limiting REST HTTP server to 303 threads
07-22-2018 12:50:05.917 +1000 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts y
our Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-
signcertificates>
07-22-2018 12:50:06.291 +1000 WARN X509Verify - X509 certificate (O=SplunkUser,CN=splunk) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instan
ce at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: <http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates>
When you restart Splunk from the command line, I would recommend using the splunk binary instead of "systemctl" if that is what you are using as the "splunk" binary will provide some basic output on each stage... e.g.
Stopping splunk helpers...
[ OK ]
Done.
Splunk> Like an F-18, bro.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket add_on_builder_index car_data cim_modactions cim_summary firedalerts history main os os_metrics perfmon pos_pu sophos summary synology syslog unifi windows wineventlog
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done [ OK ]
Waiting for web server at https://127.0.0.1:8000 to be available......................... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at https://splunk:8000
... View more