I have Splunk set up in 2 different environments. Splunk in environment A is accessible to all users. Splunk in environment B is accessible to limited users. Data in environment B is indexed into multiple indexes. I want data from index A to be forwarded to the indexer of Splunk in environment A. I have modified outputs.conf of indexer in Splunk B with below values:
[tcpout] indexAndForward = true forwardedindex.filter.disable = false forwardedindex.2.whitelist = os_abc forwardedindex.0.blacklist = history forwardedindex.1.blacklist = main forwardedindex.2.blacklist = os_cde forwardedindex.3.blacklist = summary
[tcpout:ostravam] disabled = false server = hostip:port
Error from logs from the indexer server as mentioned below:
07-21-2020 00:45:57.221 -0400 ERROR TcpOutputFd - Read error. Connection reset by peer 07-21-2020 00:45:57.221 -0400 WARN TcpOutputProc - Applying quarantine to ip=10.145.243.21 port=9997 _numberOfFailures=2 07-21-2020 00:45:57.224 -0400 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.
Error from logs of the server I was connecting to:
07-21-2020 15:39:48.975 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35248. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 07-21-2020 15:39:48.979 +1000 ERROR TcpInputProc - Error encountered for connection from src=10.87.238.134:35250. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Is there anything that could assist me in getting around this?