Deployment Architecture

Splunk weburl not coming up. after configuring universal forwarder


I had installed splunk 7.1.1 on Linux machine and started with id/passwd, it was coming up, then I installed splunk universal forwarder on the other Linux machine to get logs from but splunk weburl not coming up, splunk is running, and I stop splunk forwarder, in splunkd.log is see below error

ERROR TcpInputProc - Message rejected. Received unexpected message of size=1195725856 bytes from src= in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

please suggest

Tags (1)
0 Karma

Esteemed Legend

If you are sending SSL encrypted data to non-SSL listening Indexer (or vice-versa), the Indexer will reject with this error. In earlier versions an SSL-listener would accept non-encrypted payloads but this changed in v7.? (check the release notes). So if you upgrade and have this misconfigured, what worked before may be rejected now.

0 Karma


Thanks for quick reply, can you please suggest what should I do now?
Do I need to install splunk full version and make as forwarder if yes, please let me know the installation and configuration steps for splunk full version as forwarder.

0 Karma


Hi @ahmemohs03

I believe the universal forwarder version of Splunk is light version of Splunk software, these light versions of splunk do not have the Web UI interface enabled.

You can install the full version of Splunk and make it as a universal forwarder, so that it can be used as forwarder & UI is enabled as well.


0 Karma


Thanks for quick response,

Splunk universal forwarder is 7.1.1 version, and I installed in it a Linux machine whose logs need to see on another Linux server where full version of splunk is installed. Do you want me to uninstalled UF and installed splunk full version and how to make a full version splunk to universal forwarder?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...