The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: forward data to an IP address

Previous Topic: Putting data from TCP input into its own index  |   Next Topic: How to delete a WMI Collection Name??


Posts 1–6 of 6
1
posted by: seanlon11  |  posts
date: February 5, 2010
permalink

I have successfully setup multiple forwarders to our indexing server "portal03". However, I am now trying to forward from a server (hhwas01) in my system but on a different network that does not have the DNS entry for portal03.

I am able to ping portal03 directly via its IP address from hhwas01, and I am able to ssh over to portal03 using its IP address. I am also able to rsync files from hhwas01 to portal03.

However, when I setup my Splunk forwarder to point to portal03's IP address, the data never arrives at portal03. I have confirmed that my forwarder exists via the Manager-->Forwarding & Receiving-->Configure Forwarding Hosts

Any suggestions on what I may need to do differently? Would this setup require me to send the data via SSH?

http://www.splunk.com/base/Documentation/2.2.6/admin/ForwardingandReceiving#SSH_tips

Thanks in adavance,
Sean

2
posted by: gkanapathy  |  posts
date: February 6, 2010
permalink

No you should be able to send as long as you can get to the port via the IP. Pinging won't tell you that (nor will ssh or rsync), but if you can telnet to the forwarding port (default 9997) it should be fine, and it's most likely the configuration of that forwarder is not right (assuming the indexer is still receiving data from the other forwarders).

3
posted by: Voltaire  |  posts
date: February 7, 2010
permalink

Try telnet portal03's or (IP address) or "telnet 192.168.0.1 9997" If you see this message "Welcome to Microsoft Telnet Client -Escape Character is 'CTRL+]' " Then you will know that the port is open, otherwise you will need to check your firewall etc.

4
posted by: seanlon11  |  posts
date: February 8, 2010
permalink

Ok, so it appears that I can telnet into "portal03".

wasadmin@hhwas01:~> telnet 172.29.61.12 9997
Trying 172.29.61.12...
Connected to 172.29.61.12.
Escape character is '^]'.

As far as I can tell, hhwas01 (the forwarder above) is identical to all other forwarders (which are all still forwarding).

Any other suggestions?

5
posted by: gkanapathy  |  posts
date: February 8, 2010
permalink

well, that's about it then. is there something about the inputs, data, or other configuration that's different about this forwarder? it can open up the port, so as long as the outputs.conf config uses the right IP and port, that isn't the problem.

6
posted by: seanlon11  |  posts
date: February 9, 2010
permalink

Ok, I have fixed this issue. I found where “portal03” was still being referenced instead of the IP address. I know I replaced “portal03” with the IP address multiple times, but apparently I did it wrong b/c the data was not completed updated. It appears that they were combined, and there was some sort of conflict.

I updated “portal03” references with the IP address in the files below, and now the data is being indexed just like everything else!

wasadmin@hhwas02:/opt/splunk/4.0.8/splunk/etc> grep -r portal03 ./
./apps/search/local/outputs.conf:defaultGroup = portal03_9997,172.29.61.12_9997
./apps/search/local/outputs.conf:[tcpout-server://portal03:9997]
./apps/search/local/outputs.conf:[tcpout:portal03_9997]
./apps/launcher/local/outputs.conf:defaultGroup = portal03_9997
./apps/launcher/local/outputs.conf:[tcpout:portal03_9997]
./apps/launcher/local/outputs.conf:server = portal03:9997

Thanks for the help!