I have a Heavy Forwarder set to forward load balanced data to two Splunk indexers on 9997.
When I enable receiving on the indexers (via Settings -> Forwarding and Receiving -> Configure Receiving), no data is showing up.
Examining the splunkd.log on the forwarder and indexers shows the connection is being made with no errors.
If I enable a Data Input to listen to port 9997, I can see data showing up in the index, albeit cooked data, which isn't readable - so the data is making it to the Splunk server, but just not showing up when I configure it to receive from another Splunk.
What might be causing this?
↧