Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "Received unexpected 369295360 byte message!" connecting to TCP input using java client SDK on Splunk 6.2?

preben12
Communicator
‎10-28-2014 11:16 AM

I'm testing the new Splunk version using the java client sdk, and are seeing problems connecting to a tcp receiver port 9997.

When connecting i'm using a serviceargs map with the values {host=localhost, port=9997, scheme=https, username=admin, password=password}

When doing Service.connect(args) i'm getting an error

could not connect to Splunk Server @ localhost:9997 - java.lang.RuntimeException: Remote host closed connection during handshake

From the splunkd.log there are log entries ->

10-28-2014 19:03:49.815 +0100 ERROR TcpInputProc - Message rejected. Received unexpected 369295360 byte message! from src=127.0.0.1:55247. Maximum message allowed: 67108864. (::)

There is no problem when using earlier versions of Splunk eg. 5.3

Best,
Preben

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 12:09 PM

The Service.connect method is used to connect to the Splunk REST API, which is against the management port. The port supplied in the ServiceArgs map refers to the management port. Note that TCP ports as configured in "Settings » Forwarding and receiving » Receive data » add new" (as you noted) are not HTTP/HTTPS - they are purely just TCP sockets, with no protocol on them.

I'm not sure how or why it worked in a previous version of Splunk - could it be that 9997 was actually your management port and not one defined as a TCP receiver?

View solution in original post

Reply
Solved! Jump to solution
Solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 12:09 PM

The Service.connect method is used to connect to the Splunk REST API, which is against the management port. The port supplied in the ServiceArgs map refers to the management port. Note that TCP ports as configured in "Settings » Forwarding and receiving » Receive data » add new" (as you noted) are not HTTP/HTTPS - they are purely just TCP sockets, with no protocol on them.

I'm not sure how or why it worked in a previous version of Splunk - could it be that 9997 was actually your management port and not one defined as a TCP receiver?

Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 12:28 PM

Ahh. you are right. Just took a step deeper. The connection is actually done using http against the management port using the Service.connect. Later the service instance can be used to get a tcp socket connection using the open method ->

 public Socket open(int port) throws IOException {
        return new Socket(this.host, port);
    }

Just forgot

Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:10 AM

When you say a "tcp receiver port of 9997" - is this a TCP input port (from inputs.conf) or the management port for Splunk (i.e. the default being 8089)?

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 11:16 AM

It's a tcp receiver port opened using the console -> Settings » Forwarding and receiving » Receive data » add new.

0 Karma
Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:24 AM

OK - Service.connect is used to connect to the management port (the REST API) - so you should use that port. Let me know if that makes sense.

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 11:38 AM

I don't think thats correct. Look at the Service class this is a general class for connecting to Splunk using http(s) at the port you configured in the args map.
This has been working fine on previous versions of Splunk.

0 Karma
Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:45 AM

Can you share the code you have that you are using? I want to make sure I am following what you are doing.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...