Cant get windows server into splunk

davidbeiler — Sat, 28 Nov 2020 05:10:41 GMT

Im pretty technical... i got splunk installed in centos, everything works ok, but for the life of me i cant figure this out

11-27-2020 23:53:54.093 -0500 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to host_dest=192.168.1.109 inside output group default-autolb-group from host_src=splunk has been blocked for blocked_seconds=710. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Ports are open for 8000, 9997 (receiving port), and opened 8089. Plenty of disk space, though when i do ss -l | grep 9997 i do not see anything for port 9997, even though ive unblocked the port 1000 times

Re: Cant get windows server into splunk

gcusello — Sat, 28 Nov 2020 07:26:51 GMT

Hi @davidbeiler,

only one question: after the pause, you continued to have logs from this server or they stopped?

if they continued to arrive (eventually late) probably there was a temporary network congestion caused by the network and/or the data flow (I don't think because this seems a lab configuration) or more probably by the index queue caused by the storage performances.

If instead they don't arrive more, there's something in the middle that blocks the data flow:

are there other forwarders that are sending logs?
did you tested with telnet the connection on port 9997?

Ciao.

Giuseppe

topic Re: Cant get windows server into splunk in Getting Data In

Cant get windows server into splunk

Re: Cant get windows server into splunk