Hey guys,
I have configured the forwarder to send apache access logs to itself from localhost. However, when I look at the metrics log for Splunk, I see
01-07-2016 19:34:57.279 +0000 INFO StatusMgr - destHost=xx.xx.xxx.xxx, destIp=xx.xx.xxx.xxx, destPort=9997, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
01-07-2016 19:34:57.280 +0000 INFO StatusMgr - destHost=xx.xx.xxx.xxx, destIp=xx.xx.xxx.xxx, destPort=9997, eventType=connect_fail, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor
My inputs.conf file is inside of /opt/splunk/etc/apps/search/local/inputs.conf , and it says -
[splunktcp://9997]
connection_host = ip
[monitor:///var/log/apache2/access.log]
disabled = false
index = main
sourcetype = access_combined
I'm pretty sure I already opened port 9997. When I do it inside of Splunk, it says the port is already open.
Any help would be appreciated.
Thanks
... View more