Getting Data In

Forwarder Raw Heartbeat Data

Communicator

Greetz,

Please can someone tell me if these events every minute are raw universal forwarder heartbeat data?

»  5/28/12
8:10:28.000 PM  

\x16\x3\x00\x00D\x1\x00\x00@\x3\x00O\xC3\xC0\x94r\xBB\xB9m\x9C<[\xA9\xFC\xE4\x9C(\xAC\x108\xB5\x85؅\xEDP$\xF8\xB0\x1Bx/\xBC\x00\x00\x18\x009\x008\x005\x003\x002\x00/\x00\x16\x00\x13\x00\x00\x5\x00\x4\x00\xFF\x2\x1\x00

host=collector   Options|  
sourcetype=ds:ad   Options|  
source=tcp:50000   Options
0 Karma
1 Solution

Communicator

No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".

View solution in original post

0 Karma

Communicator

No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".

View solution in original post

0 Karma

New Member

I had the same question. I erased all the configuration apps and inputs.conf from the universal forwarder and found out that this pattern kept going. Still believe is a heartbeat.

0 Karma

SplunkTrust
SplunkTrust

That (looks) like a normal tcp receiver that is being fed data from a forwarder in splunktcp (cooked) format.

0 Karma

Communicator

This was the problem.

0 Karma

Communicator

No it's not. This was in actual fact connection data from the deployment client to a raw TCP input and the forwarder has been configured to "sendCookedData = false".

0 Karma