
Validate your configuration
Before you deploy your configuration, you can use splunkd.log
to validate and troubleshoot your configuration. Splunkd.log is located on your indexer and forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log
.
On the indexer, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000 02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3 02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL) 02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed 02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
On the forwarder, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist 02-06-2011 19:06:10.848 INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist 02-06-2011 19:06:10.850 INFO TcpOutputProc - Will retry at max backoff sleep forever 02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientSearch=/opt/splunk/etc/aut/server.pem 02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher= 02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997
For help troubleshooting your configuration issues, see "Troubleshoot your forwarder to indexer configuration" in this manual.
PREVIOUS Configure Splunk forwarding to use your own certificates |
NEXT Troubleshoot your forwarder to indexer authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11
Feedback submitted, thanks!