Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder tcpout_connections blocked

Chris_R_
Splunk Employee
Splunk Employee
‎07-09-2010 01:36 AM

This configuration is two 3.4.2 forwarders -> two 4.1.2 indexers.
Forwarders have two UDP inputs & two seperate assigned sourcetypes on these UDP inputs, props/transforms/outputs entries are doing _TCP_ROUTING to two seperate indexers.
Config seems ok for the most part. However they are getting constantly blocked tcpout_connections messages in metrics.log

splunkd.log Error on the forwarders 

07-07-2010 06:11:29.452 WARN  TcpOutputProc - TcpSendThread: Connection to server lost - retrying: Broken pipe  
07-07-2010 06:11:29.452 WARN  TcpOutputProc - Connection dropped by Indexer. Possible version mismatch with indexer. Please check compatibility with indexer version

splunkd.log errors on the indexer 

07-08-2010 01:15:13.501 ERROR TcpInputProc - Error encountered for connection from host=< ip address >, ip=< ip address >. Timeout  
07-08-2010 01:15:13.501 INFO  TcpInputProc - Hostname=< ip address > closed connection  
07-08-2010 01:15:13.501 WARN  PipelineInputChannel - channel source::udp:515|host::192.168.88.25|somesourcetypel|remoteport::41108" ended without a done-key  
07-08-2010 01:15:13.501 WARN  PipelineInputChannel - channel "source::udp:514|host::192.168.8.204|somesourcetypee|remoteport::41108" ended without a done-key  
07-08-2010 01:15:13.501 WARN  PipelineInputChannel - channel "source::udp:515|host::192.168.88.26|somesourcetype|remoteport::41108" ended without a done-key  
07-08-2010 01:15:13.501 WARN  PipelineInputChannel - channel "source::/opt/splunk/var/log/splunk/splunklogger.log|host::NCCForwarder|splunklogger|remoteport::41108" ended without a done-key  
07-08-2010 01:15:13.501 WARN  PipelineInputChannel - channel "source::udp:515|host::192.168.88.27|somesourcetype|remoteport::41108" ended without a done-key

one other odd entry i see in the inputs.conf of the indexers, seems like this is a older spec file setting to route certain data to queues instead of letting splunk do it automatically?

[splunktcp]
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;
Tags (2)
0 Karma
Reply

Chris_R_
Splunk Employee
Splunk Employee
‎07-09-2010 05:55 PM

GK: These are full forwarders, here's the outputs from a forwarder

[tcpout]  
indexAndForward = false  


[tcpout:stonegateGroup]
disabled = false  
server=10.20.12.35:9001  

[tcpout:fortimailGroup]  
disabled = false  
server=10.20.12.33:9997

and the inputs.conf from a indexer

[default]  
index = default  
host = fortimailsplunk  
_rcvbuf = 196608  

[monitor://$SPLUNK_HOME/var/spool/splunk]  
move_policy = sinkhole  

[fschange:$SPLUNK_HOME/etc]  
signedaudit = true  
sendEventMaxSize = -1  
recurse = true  
pollPeriod = 600  
filesPerDelay = 10  
delayInMills = 100  
followLinks = false  
fullEvent = false  
hashMaxSize = -1  

[splunktcp]  
route = has_key:_utf8:indexQueue;has_key:_linebreaker:indexQueue;absent_key:_utf8:parsingQueue;absent_key:_linebreaker:parsingQueue;

Note: I had them remove the tcp route = stanza seems to not be blocking this morning, could be a slower day...but i'll know for sure next week

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎07-09-2010 02:09 AM

That route is in fact in the etc/system/default/inputs.conf for 4.x machines. Someone might have copied it over. Don't mess with it.

Please clarify if these are heavy forwarders, or LWF's tweaked to collect UDP as well? It would be helpful to see the outputs.conf in the forwarders and the inputs.conf on the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...