Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix TCPOutAutoLB-0 error?

hketer
Path Finder
‎09-14-2022 09:25 AM

Hello,

I'll try to explain our issue we had.

We have 7 HFs and 4 Idx
HF_1, HF_2, HF_3 sending TCP logs and log files to: HF_4 & HF_6 & HF_7 
HF_4 sending TCP logs (Not necessarily the same data) to HF_5 
HF_5 send the data from HF_4 to our Indexers.

 

The splunkd service on HF_5 was down, what cause our HF_4 to receive errors:

"TCPOutAutoLB-0 , forwarding destinations have failed"
make sense.

What I don't understand is why the servers HF_1\2\3 got stuck and stopped send data  also to HF_6 and HF_7.

 

Please help me understand this,
Thank you all!

 

Hen

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 08:30 PM

Hi @hketer,

Are you also using TCP Syslog output on your HF_1/2/3 to any destination? Because if any of the Syslog TCP destinations gets stuck, all indexing and forwarding pipeline stops. That's why I prefer UDP Syslog output to prevent this problem. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 08:30 PM

Hi @hketer,

Are you also using TCP Syslog output on your HF_1/2/3 to any destination? Because if any of the Syslog TCP destinations gets stuck, all indexing and forwarding pipeline stops. That's why I prefer UDP Syslog output to prevent this problem. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

hketer
Path Finder
‎09-18-2022 12:01 AM

Hi @scelikok ,

Yes, we do use TCP Syslog outputs to other destinations.
As I understand, the queues will get stuck and will affect all the other inputs configured ?

Will it affect only TCP inputs? or also monitoring files for example?

Thanks,
Hen

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎09-18-2022 01:56 AM

Hi @hketer,

Yes, unfortunately, it affects all indexing processes.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

hketer
Path Finder
‎09-18-2022 04:06 AM

@scelikok 

Thank you for the help!

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...