Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to fix TCPOutAutoLB-0 error?

hketer
Path Finder
‎09-14-2022 09:25 AM

Hello,

I'll try to explain our issue we had.

We have 7 HFs and 4 Idx
HF_1, HF_2, HF_3 sending TCP logs and log files to: HF_4 & HF_6 & HF_7 
HF_4 sending TCP logs (Not necessarily the same data) to HF_5 
HF_5 send the data from HF_4 to our Indexers.

 

The splunkd service on HF_5 was down, what cause our HF_4 to receive errors:

"TCPOutAutoLB-0 , forwarding destinations have failed"
make sense.

What I don't understand is why the servers HF_1\2\3 got stuck and stopped send data  also to HF_6 and HF_7.

 

Please help me understand this,
Thank you all!

 

Hen

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 08:30 PM

Hi @hketer,

Are you also using TCP Syslog output on your HF_1/2/3 to any destination? Because if any of the Syslog TCP destinations gets stuck, all indexing and forwarding pipeline stops. That's why I prefer UDP Syslog output to prevent this problem. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎09-14-2022 08:30 PM

Hi @hketer,

Are you also using TCP Syslog output on your HF_1/2/3 to any destination? Because if any of the Syslog TCP destinations gets stuck, all indexing and forwarding pipeline stops. That's why I prefer UDP Syslog output to prevent this problem. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

hketer
Path Finder
‎09-18-2022 12:01 AM

Hi @scelikok ,

Yes, we do use TCP Syslog outputs to other destinations.
As I understand, the queues will get stuck and will affect all the other inputs configured ?

Will it affect only TCP inputs? or also monitoring files for example?

Thanks,
Hen

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎09-18-2022 01:56 AM

Hi @hketer,

Yes, unfortunately, it affects all indexing processes.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

hketer
Path Finder
‎09-18-2022 04:06 AM

@scelikok 

Thank you for the help!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...