Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder will not activate

johnnyp74
Observer
‎12-03-2024 07:46 AM

I have installed and configured my Universal forwarder, however while it starts it remains inactive:

Active forwards:
None

Configured but inactive forwards:
10.###.##.##:9997

I have validated that I am using the correct ip address, and that I can ping the indexer from the forwarder,  and that port 9997 is not blocked.  So at this point Im just not sure how to resolve this?  Any assistance would be appreciated.

Thanks!

0 Karma
Reply

zksvc
Communicator
2 weeks ago

Have you made sure port 9997 is enabled on Receive Data?

You can go to "Settings -> Forwarding And Receiving -> Receive data -> +Add new"

zksvc_1-1745829865488.png

 

 

0 Karma
Reply

khj
Explorer
3 weeks ago

1. Make sure the UF is operating normally.
$SPLUNK_HOME/bin/splunk status
There should be no message other than the phrase is running.

2. Make sure that the log path you set in inputs.conf has a log

3. Make sure the inputs.conf settings are set correctly
If you set the index, the index must be created in the indexer.

4. Check the UI of the indexer to see if the data is in.
This method is more intuitive than checking with the inputs status of the cli.

5. Search index=_internal and search UF's IP to see if there are any problems

Karma if this has helped!

Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎12-03-2024 08:15 AM

Hi @johnnyp74 

have you restarted splunk service after updating outputs.conf 

and as you mentioned you did ping to check connectivity 

however have you did telent on port 9997 to indexer?

telnet <indexerip> 9997 

in Splunkd.log have you seen any error messages, certainly splunkd.log messages help  to troubleshoot further   




0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
OSZAR »