https://community.splunk.com/t5/Getting-Data-In/UF-stops-forwarding-when-splunk-cloud-is-down/m-p/531782#M89449 <P>If you read the title, you are going "well of course it does", but hear me out.&nbsp; &nbsp;(This will be a long explanation that will hopefully answer the immediate questions)...<BR /><BR /><STRONG>Background:</STRONG><BR />We have some on-prem UFs that forward "everything"&nbsp; to our on-prem enterprise indexers <STRONG>AND</STRONG> specific logs&nbsp; to our splunk cloud instance indexer.&nbsp; &nbsp; In case you are wondering,&nbsp; the cloud instance is where our customer can look at their data without needing access to our internal systems.<BR /><BR /><STRONG>Problem:</STRONG><BR />Splunk did some maintenance on our cloud instance and when they did so, forwarding&nbsp; from the UFs also stopped coming into our on-prem Splunk.&nbsp; &nbsp; I can't figure out why cloud being down would stop the forwarders from sending to enterprise.&nbsp; &nbsp;&nbsp;<BR /><BR />Checking the documentation here:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Setuploadbalancingd#Configure_universal_forwarder_load_balancing_for_horizontal_scaling" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Setuploadbalancingd#Configure_universal_forwarder_load_balancing_for_horizontal_scaling</A><BR /><BR />It reads like the UFs should switch to the next indexers when it goes down.&nbsp; But it didn't.&nbsp; Instead we saw this in the internal logs when the cloud instance was taken down for maintenance&nbsp;<BR /><BR /><EM>11-25-2020 21:59:48.139 -0600 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group splunkcloud has been blocked for 1200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.</EM><BR />&nbsp;<BR />Looking at the inputs.conf and outputs.conf,&nbsp; I can see nothing wrong with them to have the data blocked from these UFs<BR /><BR />Sanitized inputs.conf, with the log that gets sent to both the on-prem instance&nbsp; (PP_indexers) and cloud instance&nbsp; bolded&nbsp;</P><P><EM>[monitor://C:\blahblahblah\q2.log]</EM><BR /><EM>_TCP_ROUTING = pp_indexers</EM><BR /><EM>index = fsd</EM><BR /><EM>sourcetype = q2</EM></P><P><EM>[monitor://C:\blahblahblah\wrapper.log]</EM><BR /><EM>_TCP_ROUTING = pp_indexers</EM><BR /><EM>index = fsd_sandbox</EM><BR /><EM>sourcetype = wrapper</EM></P><P><EM>[monitor://C:\blahblahblah\metrics.log]</EM><BR /><EM><STRONG>_TCP_ROUTING = pp_indexers,splunkcloud</STRONG></EM><BR /><EM>index = fsd_sandbox</EM><BR /><EM>sourcetype = metrics<BR /><BR /><BR /></EM>Sanitized outputs.conf:&nbsp;</P><P><EM>defaultGroup = pp_indexers</EM><BR /><EM>forceTimebasedAutoLB = true</EM><BR /><EM>autoLBFrequency = 15</EM></P><P><EM>[tcpout:pp_indexers]</EM><BR /><EM>server = indexer1.ip.address.here:9997, indexer2.ip.address.here:9997</EM></P><P><BR /><BR /><EM>[tcpout:splunkcloud]</EM><BR /><EM>compressed = false</EM><BR /><EM>disabled = false</EM><BR /><EM>server = our_domain_name.cloud.splunk.com:9997</EM><BR /><EM>sslCommonNameToCheck = our_domain_name.cloud.splunk.com</EM><BR /><EM>sslCertPath = $SPLUNK_HOME/etc/apps/sanitized/client.pem</EM><BR /><EM>sslPassword = sanitized</EM><BR /><EM>sslRootCAPath = $SPLUNK_HOME/etc/apps/sanitized/cacert.pem</EM><BR /><EM>sslVerifyServerCert = true</EM><BR /><EM>useACK = true</EM><BR /><BR />Oh and just in case you need it...<BR />UF versions are 7.1.2 and 7.2.3<BR />enterprise version is 7.3.4,&nbsp; cloud is 7.3.</P> Wed, 02 Dec 2020 22:31:00 GMT randy_moore 2020-12-02T22:31:00Z https://community.splunk.com/t5/Getting-Data-In/UF-stops-forwarding-when-splunk-cloud-is-down/m-p/531782#M89449 <P>If you read the title, you are going "well of course it does", but hear me out.&nbsp; &nbsp;(This will be a long explanation that will hopefully answer the immediate questions)...<BR /><BR /><STRONG>Background:</STRONG><BR />We have some on-prem UFs that forward "everything"&nbsp; to our on-prem enterprise indexers <STRONG>AND</STRONG> specific logs&nbsp; to our splunk cloud instance indexer.&nbsp; &nbsp; In case you are wondering,&nbsp; the cloud instance is where our customer can look at their data without needing access to our internal systems.<BR /><BR /><STRONG>Problem:</STRONG><BR />Splunk did some maintenance on our cloud instance and when they did so, forwarding&nbsp; from the UFs also stopped coming into our on-prem Splunk.&nbsp; &nbsp; I can't figure out why cloud being down would stop the forwarders from sending to enterprise.&nbsp; &nbsp;&nbsp;<BR /><BR />Checking the documentation here:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Setuploadbalancingd#Configure_universal_forwarder_load_balancing_for_horizontal_scaling" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Setuploadbalancingd#Configure_universal_forwarder_load_balancing_for_horizontal_scaling</A><BR /><BR />It reads like the UFs should switch to the next indexers when it goes down.&nbsp; But it didn't.&nbsp; Instead we saw this in the internal logs when the cloud instance was taken down for maintenance&nbsp;<BR /><BR /><EM>11-25-2020 21:59:48.139 -0600 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to output group splunkcloud has been blocked for 1200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.</EM><BR />&nbsp;<BR />Looking at the inputs.conf and outputs.conf,&nbsp; I can see nothing wrong with them to have the data blocked from these UFs<BR /><BR />Sanitized inputs.conf, with the log that gets sent to both the on-prem instance&nbsp; (PP_indexers) and cloud instance&nbsp; bolded&nbsp;</P><P><EM>[monitor://C:\blahblahblah\q2.log]</EM><BR /><EM>_TCP_ROUTING = pp_indexers</EM><BR /><EM>index = fsd</EM><BR /><EM>sourcetype = q2</EM></P><P><EM>[monitor://C:\blahblahblah\wrapper.log]</EM><BR /><EM>_TCP_ROUTING = pp_indexers</EM><BR /><EM>index = fsd_sandbox</EM><BR /><EM>sourcetype = wrapper</EM></P><P><EM>[monitor://C:\blahblahblah\metrics.log]</EM><BR /><EM><STRONG>_TCP_ROUTING = pp_indexers,splunkcloud</STRONG></EM><BR /><EM>index = fsd_sandbox</EM><BR /><EM>sourcetype = metrics<BR /><BR /><BR /></EM>Sanitized outputs.conf:&nbsp;</P><P><EM>defaultGroup = pp_indexers</EM><BR /><EM>forceTimebasedAutoLB = true</EM><BR /><EM>autoLBFrequency = 15</EM></P><P><EM>[tcpout:pp_indexers]</EM><BR /><EM>server = indexer1.ip.address.here:9997, indexer2.ip.address.here:9997</EM></P><P><BR /><BR /><EM>[tcpout:splunkcloud]</EM><BR /><EM>compressed = false</EM><BR /><EM>disabled = false</EM><BR /><EM>server = our_domain_name.cloud.splunk.com:9997</EM><BR /><EM>sslCommonNameToCheck = our_domain_name.cloud.splunk.com</EM><BR /><EM>sslCertPath = $SPLUNK_HOME/etc/apps/sanitized/client.pem</EM><BR /><EM>sslPassword = sanitized</EM><BR /><EM>sslRootCAPath = $SPLUNK_HOME/etc/apps/sanitized/cacert.pem</EM><BR /><EM>sslVerifyServerCert = true</EM><BR /><EM>useACK = true</EM><BR /><BR />Oh and just in case you need it...<BR />UF versions are 7.1.2 and 7.2.3<BR />enterprise version is 7.3.4,&nbsp; cloud is 7.3.</P> Wed, 02 Dec 2020 22:31:00 GMT https://community.splunk.com/t5/Getting-Data-In/UF-stops-forwarding-when-splunk-cloud-is-down/m-p/531782#M89449 randy_moore 2020-12-02T22:31:00Z