We have set up "Splunk Forwarder Management" and apps are being successfully deployed to the clients that are polling the Splunk server on port 8089.
We have ensured the check-mark "Restart Splunkd" is checked for the apps being deployed. But strange this is the check-mark gets automatically unchecked. Not sure if this has anything to do with the problem, but logs stop getting forwarded from the clients and when we do **"splunk list forward-server"**, we see that the splunk forwarder is marked "Configured but inactive forwards:"
After running **"splunk restart"** everything gets back to normal.
**Question:** What causes the forwarder to become inactive and stop forwarding logs?
↧