Hello all,
I have installed app "Splunk Add-on for Apache Web Server" from splunk web. Unfotrunately when i try to create Data input i am unable to select the source type for ex: apache:access and when i try to launch app it says page not found. please help. I also tried to download the addon and uploaded the tar file to update add-on, but it doesnot work. please suggest
The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Learn more.
can anyone help me with this error. I am unable to forward the logs to splunk server
Referring to your outputs.conf: Add forwardedindex.0.whitelist = .*
to your outputs.conf [tcpout:default-autolb-group]
stanza and restart the Forwarder. You just telling Splunk to forward, but not what to forward. By this setting Splunk forwards everything. If there is still nothing coming it it could also be a firewall problem.
Hi, I have added as above and unfortunately i could still see "its waiting for data" and I got this warning message from the GUI.
"The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data."
Do you also have an inputs.conf on your indexer with
[splunktcp://9997]
disabled = 0
?
What does the splunkd.log say of indexer and forwarder?
What is the output of:
on indexer
tail -n100 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR
or on the Forwarder
tail -n100 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR
Hi yes, I have an indexer as mentioned above
tail -n30 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1397966893 received while in parseState=1
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1213486160 received while in parseState=1
tail -n30 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:08:12.463 +0100 ERROR TcpOutputFd - Read error. Connection reset by peer
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed
Hi,
Yes I am finding in sourcetype, unfortunately I am unable to see the host as it always shows in search " waiting for data". I have configured Universal forwader on host.
you should know the difference of TA and Apps.
-App is used for UI template and sometime contains TA inside. It can be visible or invisible
-TA is used to help the data parsing in indexing level or visualization level. It's invisible only, because mostly placed in forwarders and indexers
Hi, Yes I have configured the Universl forwarder on the host with outputs and inputs.conf as below and restarted the splunk, but still I could not find the host on the data ysummary tab. Any suggestions would be helpful. Thanks.
cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.4.81.11:9997
inputs.conf
[monitor:///var/log/apache2/access.log]
sourcetype=apache:access
disabled = 0
How do you try to launch the app? Splunk Add-on for Apache Web Server is a TA, so it does not have a GUI App interface. But sourcetypes should be available in the sourcetype overview or when you try to add an input.
[ui]
is_visible = false