
Validate your configuration
Before you deploy your configuration, you can use splunkd.log
to validate and troubleshoot your configuration. Splunkd.log is located on your indexer and forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log
.
On the indexer, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000 02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3 02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL) 02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed 02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
On the forwarder, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist 02-06-2011 19:06:10.850 INFO TcpOutputProc - Will retry at max backoff sleep forever 02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, sslCertPath=/opt/splunk/etc/aut/server.pem 02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher= 02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997
For help troubleshooting your configuration issues, see "Troubleshoot your forwarder to indexer configuration" in this manual.
PREVIOUS Configure Splunk forwarding to use your own certificates |
NEXT Troubleshoot your forwarder to indexer authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14
Feedback submitted, thanks!