Getting Data In

How to troubleshoot why Windows universal forwarder connection to Sandbox errors out no matter what method used?

DelProfundo
Explorer

Lots of posts on this, all are wrong. Both methods (manual modification of outputs.conf files and installing the app from the cloud management interface) fail with the same old errors that everyone else complains about.

01-27-2015 19:52:39.782 +1000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
01-27-2015 19:52:40.942 +1000 INFO  TcpOutputProc - Connected to idx=54.84.49.180:9997 using ACK.
01-27-2015 19:52:47.265 +1000 INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

I have linux and OSX hosts on the same network and others are hitting the sandbox correctly.

I can TELNET to the input- :9997 address.

Please help. I am really over this. I have used every link mentioned in the other posts and none work. Well, except for the command line testing on the server side, but given I am using the cloud sandbox, I do not have CLI access.

0 Karma
1 Solution

DelProfundo
Explorer

The solution was to not put the address of the splunk server in the setup wizard of the forwarder but to run the app.

View solution in original post

DelProfundo
Explorer

The solution was to not put the address of the splunk server in the setup wizard of the forwarder but to run the app.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...