https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94990#M19790 <P>the backlog effect does not produce the same messages, it does like "cannot sent dagta to the output queue, parsing queue full".</P> Fri, 11 Oct 2013 17:17:05 GMT yannK 2013-10-11T17:17:05Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94985#M19785 <P>Hi all,</P> <P>I did the following:</P> <UL> <LI>Set up a splunk forwarder</LI> <LI>Obtained my SplunkStorm Credentials</LI> <LI>Installed splunk credentials SPL credentials (though I'm not sure that I did this 100% correctly)</LI> <LI>Edited inputs.conf to add windows system log events</LI> <LI>Started the forwarder.</LI> </UL> <P>In the log, I see several lines of:</P> <PRE><CODE>Line 272: 10-11-2013 11:53:30.478 -0400 WARN TcpOutputProc - Raw connection to ip=107.20.29.58:9997 timed out Line 276: 10-11-2013 11:54:30.479 -0400 WARN TcpOutputProc - Cooked connection to ip=54.224.46.188:9997 timed out </CODE></PRE> <P>I ran the command <EM><CODE>splunk cmd btool outputs list --debug</CODE></EM> and got the result (sslpassword and project id has been changed from its value to [redacted]:</P> <PRE><CODE>C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf [tcpout] C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf autoLBFrequency = 30 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf blockOnCloning = true C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf blockWarnThreshold = 100 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf compressed = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf connectionTimeout = 20 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf defaultGroup = storm_indexers C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf disabled = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf dropClonedEventsOnQueueFull = 5 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf dropEventsOnQueueFull = -1 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf forceTimebasedAutoLB = false C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.0.whitelist = .* C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.1.blacklist = _.* C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.2.whitelist = _audit C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.filter.disable = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf heartbeatFrequency = 30 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf indexAndForward = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxConnectionsPerIndexer = 2 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxFailuresPerInterval = 2 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxQueueSize = auto C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf readTimeout = 300 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf secsInFailureInterval = 1 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf sendCookedData = true C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf useACK = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf writeTimeout = 300 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\local\outputs.conf [tcpout:storm_indexers] C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf autoLB = true C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf server = forwarder.d9bw-e6eh.data.splunkstorm.com:9997 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf sslCertPath = $SPLUNK_HOME/etc/auth/server.pem C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\local\outputs.conf sslPassword = [redacted] C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf sslRootCAPath = $SPLUNK_HOME/etc/apps/stormforwarder_[redacted]/ssl/star.splunkstorm.com.chain C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf useACK = true C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf [tcpout] C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf autoLBFrequency = 30 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf blockOnCloning = true C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf blockWarnThreshold = 100 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf compressed = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf connectionTimeout = 20 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf defaultGroup = storm_indexers C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf disabled = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf dropClonedEventsOnQueueFull = 5 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf dropEventsOnQueueFull = -1 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf forceTimebasedAutoLB = false C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.0.whitelist = .* C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.1.blacklist = _.* C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.2.whitelist = _audit C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\outputs.conf forwardedindex.filter.disable = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf heartbeatFrequency = 30 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf indexAndForward = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxConnectionsPerIndexer = 2 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxFailuresPerInterval = 2 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf maxQueueSize = auto C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf readTimeout = 300 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf secsInFailureInterval = 1 C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf sendCookedData = true C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf useACK = false C:\Program Files\SplunkUniversalForwarder\etc\system\default\outputs.conf writeTimeout = 300 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\local\outputs.conf [tcpout:storm_indexers] C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf autoLB = true C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf server = forwarder.d9bw-e6eh.data.splunkstorm.com:9997 C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf sslCertPath = $SPLUNK_HOME/etc/auth/server.pem C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\local\outputs.conf sslPassword = [redacted] C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf sslRootCAPath = $SPLUNK_HOME/etc/apps/stormforwarder_[redacted]/ssl/star.splunkstorm.com.chain C:\Program Files\SplunkUniversalForwarder\etc\apps\stormforwarder_[redacted]\default\outputs.conf useACK = true </CODE></PRE> Fri, 11 Oct 2013 16:02:01 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94985#M19785 SeanKilleen 2013-10-11T16:02:01Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94986#M19786 <P>The timeout is simply caused when the forwarder rotating across the ip of the dns load balancer.<BR /> Or if a maintenance if happening.</P> Fri, 11 Oct 2013 16:24:31 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94986#M19786 yannK 2013-10-11T16:24:31Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94987#M19787 <P>Thanks. So I shouldn't be worried that I see hundreds of those entries in splunkd.log? And one last follow-up: I also see no entries being uploaded to splunk, but could this be because it is processing the first giant backlog of windows event log events?</P> Fri, 11 Oct 2013 16:34:09 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94987#M19787 SeanKilleen 2013-10-11T16:34:09Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94988#M19788 <P>Related: I guess I'm also asking, Should I start another question based on the fact that I still can't seem to receive any log entries into SplunkStorm from splunk despite it not showing any errors in the logs besides the TcpOutputProc messages?</P> Fri, 11 Oct 2013 17:05:40 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94988#M19788 SeanKilleen 2013-10-11T17:05:40Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94989#M19789 <P>yes, please open a ticket from the storm portal (help page), and authorize the support team to check your project.</P> Fri, 11 Oct 2013 17:16:04 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94989#M19789 yannK 2013-10-11T17:16:04Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94990#M19790 <P>the backlog effect does not produce the same messages, it does like "cannot sent dagta to the output queue, parsing queue full".</P> Fri, 11 Oct 2013 17:17:05 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94990#M19790 yannK 2013-10-11T17:17:05Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94991#M19791 <P>I'm seeing exactly the same behavior, my Windows event logs and Perfmon data isn't showing up in Splunk Storm but a normal text-based logfile does. I've already opened a ticket a couple days ago, but got no response yet.</P> Sat, 12 Oct 2013 13:55:30 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94991#M19791 akoeplinger 2013-10-12T13:55:30Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94992#M19792 <P>I am running into the same issue. I am seeing text based logs but no windows event logs? </P> <P>Does splunk storm support windows event logs. I thought it was because i was running server 2012 r2 but 2012 r2 is now supported with 6.1. Is there any trouble shooting steps out there?</P> Thu, 08 May 2014 18:17:13 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94992#M19792 pbradfordkc 2014-05-08T18:17:13Z https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94993#M19793 <P>@pbradfordkc: Windows Event Logs don't work yet when using Universal Forwarder 6 with Storm, see <A href="http://answers.splunk.com/answers/123027/splunk-storm-universal-forwarder">http://answers.splunk.com/answers/123027/splunk-storm-universal-forwarder</A></P> Thu, 08 May 2014 20:04:35 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarder-to-splunkstorm-is-timing-out/m-p/94993#M19793 akoeplinger 2014-05-08T20:04:35Z