Getting Data In

Getting errors in logs when forwarding data from one indexer to another in a different environment.

sdkp03
Path Finder

I have Splunk set up in 2 different environments. Splunk in environment A is accessible to all users. Splunk in environment B is accessible to limited users. Data in environment B is indexed into multiple indexes.  I want data from index A to be forwarded to the indexer of Splunk in environment A. I have modified outputs.conf of indexer in Splunk B with below values:

[tcpout]
indexAndForward = true
forwardedindex.filter.disable = false
forwardedindex.2.whitelist = os_abc
forwardedindex.0.blacklist = history
forwardedindex.1.blacklist = main
forwardedindex.2.blacklist = os_cde
forwardedindex.3.blacklist = summary
[tcpout:ostravam]
disabled = false
server = hostip:port

Error from logs from the indexer server as mentioned below:

07-21-2020 00:45:57.221 -0400 ERROR TcpOutputFd - Read error. Connection reset by peer
07-21-2020 00:45:57.221 -0400 WARN TcpOutputProc - Applying quarantine to ip=10.145.243.21 port=9997 _numberOfFailures=2
07-21-2020 00:45:57.224 -0400 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.

Error from logs of the server I was connecting to:

07-21-2020 15:39:48.975 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35248.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
07-21-2020 15:39:48.979 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35250.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Is there anything that could assist me in getting around this?

Labels (1)
0 Karma
1 Solution

sdkp03
Path Finder

Got this resolved by using client certificate

View solution in original post

0 Karma

sdkp03
Path Finder

Got this resolved by using client certificate

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...