Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compressed data from forwarder to indexer

Eli_Klein
Explorer
‎09-07-2010 04:41 PM

I'm having some trouble getting this working. I've tried both the regular forwarder as well as the light forwarder. When using the regular forwarder, I get the following error on the server:

9-03-2010 16:04:20.699 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--

When using the light forwarder, everything appears to be working fine on the client, but no data is making it to the server. There is no established connection on the compressed port on the server either.

If I change back to the uncompressed port, data flows just fine to the indexer.

I have been unable to find any sort of precise instructions for what it takes to configure compressed data. All I can find are the options in the specfiles that turn on compressed data. I'd love to find something that details things step-by-step. Any help would be greatly appreciated.

Thank you!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Eli_Klein
Explorer
‎09-09-2010 07:41 PM

The problem was with the format of my outputs.conf on my forwarders:

BEFORE (forwarder outputs.conf):

 [tcpout] 
 defaultGroup = splunkgroup
 disabled = false

 [tcpout:splunkgroup] 
 server = splunkserver:9998

 [tcpout-server://splunkserver:9998]
 compressed = true

AFTER (forwarder outputs.conf):

 [tcpout] 
 defaultGroup = splunkgroup
 disabled = false

 [tcpout:splunkgroup] 
 server = splunkserver:9998
 compressed = true

Here's my $SPLUNK_HOME/etc/system/local/inputs.conf from my indexer:

 [default]
 host = splunkserver

 [splunktcp://9997]

 [splunktcp://9998]
 compressed = true

This configures a non-compressed listener on 9997 and a compressed listener on 9998. I hope this helps someone else in my situation!

View solution in original post

Reply
Solved! Jump to solution
Solution

Eli_Klein
Explorer
‎09-09-2010 07:41 PM

The problem was with the format of my outputs.conf on my forwarders:

BEFORE (forwarder outputs.conf):

 [tcpout] 
 defaultGroup = splunkgroup
 disabled = false

 [tcpout:splunkgroup] 
 server = splunkserver:9998

 [tcpout-server://splunkserver:9998]
 compressed = true

AFTER (forwarder outputs.conf):

 [tcpout] 
 defaultGroup = splunkgroup
 disabled = false

 [tcpout:splunkgroup] 
 server = splunkserver:9998
 compressed = true

Here's my $SPLUNK_HOME/etc/system/local/inputs.conf from my indexer:

 [default]
 host = splunkserver

 [splunktcp://9997]

 [splunktcp://9998]
 compressed = true

This configures a non-compressed listener on 9997 and a compressed listener on 9998. I hope this helps someone else in my situation!

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-07-2010 10:59 PM

Sounds like you need to enable compression on the indexer side (or enable a separate listening port that has compression enabled and have your forwarder send there).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...