https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114192#M23862 <P>I am looking at the data leaving the forwarder using wireshark.</P> Thu, 24 Oct 2013 19:03:44 GMT lewis15 2013-10-24T19:03:44Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114188#M23858 <P>why is the data from splunk forwarder --splunk-cooked-mkode-v3-- then about 103 x00 then the computername fillowed by 241 x00 then 8089 followed by 12 more x00?</P> <P>I have tried to find something on the web that made sense to me to discover what the problem is. I used Wireshark on the Windows 7 machine to trap the data. The data looks the same on my Ubuntu 12.10 Splunk standalone indexer.<BR /><BR /> Thanks<BR /> Lewis</P> Thu, 24 Oct 2013 16:50:40 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114188#M23858 lewis15 2013-10-24T16:50:40Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114189#M23859 <P>Sounds like you've setup a TCP input (in the "Inputs" section in splunkweb) instead of a receiving port (In "Forwarding and receiving"). TCP inputs are read by Splunk as-is, while receiving ports are used for receiving data in the proprietary format that's used for forwarded data from one Splunk instance to another. Make sure you're sending forwarded data to a receiving port.</P> Thu, 24 Oct 2013 18:00:18 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114189#M23859 Ayn 2013-10-24T18:00:18Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114190#M23860 <P>universal forwarder does not use splunkweb. There isn't an option in the windows setup to select TCP or UDP.</P> Thu, 24 Oct 2013 18:43:22 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114190#M23860 lewis15 2013-10-24T18:43:22Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114191#M23861 <P>No, I'm not talking about the forwarder, I'm talking about the Splunk instance you're sending data TO from the forwarder.</P> Thu, 24 Oct 2013 18:45:08 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114191#M23861 Ayn 2013-10-24T18:45:08Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114192#M23862 <P>I am looking at the data leaving the forwarder using wireshark.</P> Thu, 24 Oct 2013 19:03:44 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114192#M23862 lewis15 2013-10-24T19:03:44Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114193#M23863 <P>OK. What you are seeing is Splunk's own proprietary format for sending data. There's various metadata added apart from the actual raw event. This is not a problem, that's just how it's sent on the wire.</P> Thu, 24 Oct 2013 19:10:03 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114193#M23863 Ayn 2013-10-24T19:10:03Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114194#M23864 <P>So there isn't any event log data sent, just nulls - x00</P> Thu, 24 Oct 2013 19:24:54 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114194#M23864 lewis15 2013-10-24T19:24:54Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114195#M23865 <P>Highly possible. You really should look for that in Splunk itself, not try to decipher it on the network layer.</P> Thu, 24 Oct 2013 19:39:34 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114195#M23865 Ayn 2013-10-24T19:39:34Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114196#M23866 <P>If the data that is in the network layer is going to be in the output layer. Also I replaced the universal forwarder with a full Splunk version setup for forwarding and it does the same thing, just sends the computer name and lots of x00s.</P> Wed, 30 Oct 2013 12:32:11 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114196#M23866 lewis15 2013-10-30T12:32:11Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114197#M23867 <P>"I have tried to find something on the web that made sense to me to discover what the problem is." What exactly is the problem you are referencing/experiencing? 8090 is the management port the deployment server uses. Probably the client checking in with the deployment server. See step one.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Updating/Howdeploymentupdateshappen">http://docs.splunk.com/Documentation/Splunk/latest/Updating/Howdeploymentupdateshappen</A></P> Wed, 30 Oct 2013 12:47:30 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114197#M23867 antlefebvre 2013-10-30T12:47:30Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114198#M23868 <P>I don't know what else I can say to make you understand this. Data is sent in a proprietary format that will be more than just any log data sent. This is not a problem, this is just the way the data is sent.</P> Wed, 30 Oct 2013 13:14:03 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114198#M23868 Ayn 2013-10-30T13:14:03Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114199#M23869 <P>all null characters is not proprietary!!!!!!!!!!!!!!!!!!<BR /> If there was data/information it would not be all 000000000000000000000000000s</P> Wed, 30 Oct 2013 15:43:41 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114199#M23869 lewis15 2013-10-30T15:43:41Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114200#M23870 <P>Fine. So, what's the actual problem you're experiencing?</P> Wed, 30 Oct 2013 15:51:32 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114200#M23870 Ayn 2013-10-30T15:51:32Z https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114201#M23871 <P>lewis15. Please see answer I suggested. I believe you are seeing the deployment server poll packet.</P> Wed, 30 Oct 2013 15:54:33 GMT https://community.splunk.com/t5/Getting-Data-In/why-is-splunkforwarder-6-0-182611-x64-release-msi-sending-mostly/m-p/114201#M23871 antlefebvre 2013-10-30T15:54:33Z