Getting Data In

Getting errors in logs when forwarding data from one indexer to another in a different environment.

sdkp03
Communicator

I have Splunk set up in 2 different environments. Splunk in environment A is accessible to all users. Splunk in environment B is accessible to limited users. Data in environment B is indexed into multiple indexes.  I want data from index A to be forwarded to the indexer of Splunk in environment A. I have modified outputs.conf of indexer in Splunk B with below values:

[tcpout]
indexAndForward = true
forwardedindex.filter.disable = false
forwardedindex.2.whitelist = os_abc
forwardedindex.0.blacklist = history
forwardedindex.1.blacklist = main
forwardedindex.2.blacklist = os_cde
forwardedindex.3.blacklist = summary
[tcpout:ostravam]
disabled = false
server = hostip:port

Error from logs from the indexer server as mentioned below:

07-21-2020 00:45:57.221 -0400 ERROR TcpOutputFd - Read error. Connection reset by peer
07-21-2020 00:45:57.221 -0400 WARN TcpOutputProc - Applying quarantine to ip=10.145.243.21 port=9997 _numberOfFailures=2
07-21-2020 00:45:57.224 -0400 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.

Error from logs of the server I was connecting to:

07-21-2020 15:39:48.975 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35248.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
07-21-2020 15:39:48.979 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35250.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Is there anything that could assist me in getting around this?

Labels (1)
0 Karma
1 Solution

sdkp03
Communicator

Got this resolved by using client certificate

View solution in original post

0 Karma

sdkp03
Communicator

Got this resolved by using client certificate

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...