Hi splunkers ,
I have forwarded the data using universal forwarder to heavy forwarder and then to indexer , where i am seeing all my data of agent server. But, the problem is I don't know why UF is still saying that "configured but inactive "
At universal forwarder end i am seeing in splunkd.log :
08-14-2018 07:03:34.401 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:03:34.538 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-14-2018 07:14:15.696 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-14-2018 07:14:15.814 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
08-20-2018 06:12:36.906 -0400 INFO TcpOutputProc - Initializing connection for non-ssl forwarding to 165.113.21.66:9997
08-20-2018 06:12:37.038 -0400 INFO TcpOutputProc - Connected to idx=165.113.21.66:9997, pset=0, reuse=0.
and this also (don't know why)
[root@abc.com bin]# ./splunk list forward-server
Active forwards:
None
Configured but inactive forwards:
165.113.21.66:9997
and at heavy forwarder end
[root@def.com bin]# ./splunk display listen
Your session is invalid. Please login.
Splunk username: admin
Password:
Receiving is enabled on port 9997
in splunkd.log at heavy forwarder end :
08-14-2018 07:04:26.163 -0400 INFO TcpInputProc - clustering is enabled but ACK not enabled on forwarder=165.113.20.239
Everything is connected. But still, why am I seeing this "Configured but inactive forwards:" I don't know why, and i also have tried telnet from universal forwarder for heavy forwarder server
[root@abc.com bin]# telnet def.com 9997
Trying def.com...
Connected to def.com.
Escape character is '^]'.
Guys please help. Although, i am receiving all my data at indexer, but still i want to know why i am seeing the "configured but not active" entry in universal forwarder
↧
Seeing all the forwarded data on indexer but universal forwarder is saying "configured but inactive"
↧