Getting Data In

HttpListener - Socket error from xx.xx.xx.xx:39944 while idling: Read Timeout

emallinger
Communicator

Hello everyone,

 

Could you please point me in the right direction ?

I'm trying to get a universal fowarder to talk to my splunk instance (mono-instance).

I've set the deployer Server correctly on the forwarder (done and checked multiple times, used with other forwarders).

 

On the forwarder : debian 10, w splunf uf 8.0.4 or  8.1.2 or 8.0.5

tcptraceroute to my-manager.fr:8089 => ok

telnet => opening connection

curl => empty reply from server

in splunkd.log :

DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

 

On the manager : debian 9, splunk 8.0.4.1

I've got on index=_internal :

HttpListener - Socket error from xx.xx.xx.xx:39944 while idling: Read Timeout

where xx.xx.xx.xx is the IP of the forwarder.

 

I've logs on both machines, with DEBUG strategically placed in log.cfg.

I still don't get it.

I don't even understand what is wrong.

 

Any idea ?

Thanks in advance,

Regards,

Ema

Labels (1)
Tags (1)
0 Karma
1 Solution

emallinger
Communicator

Hi everyone,

Seems it was a network problem.

As I understand it, my flux was routed to a gateway that was the usual standard one.

Turned out this was not the one I needed.

I used

route add -net xx.xx.xx.xx/yy gw zz.zz.zz.zz dev eth0

and then an update of 

/etc/netword/interfaces.d/eth0

(to permanently add the new route).

to fix the route toward my target monointance.

Works fine now.

Thanks everyone !

Ema

View solution in original post

0 Karma

SOURAV_S
Explorer

Hi Ema,

 

Can you check if these steps are working for you:

https://www.learnsplunk.com/splunk-forwarder-not-sending-data.html 

 

If this works for you, mark this as solution.

Happy Splunking! 🙂

0 Karma

Vardhan
Contributor

Hi  @emallinger,

Did you check the connectivity from your forwarder to the deployment server? is it connecting?

telnet "ip of deploymentserver" 8089 

 

0 Karma

emallinger
Communicator

Hi,

Telnet says "connected to xx.xx.xx.xx"

Ema

0 Karma

emallinger
Communicator

Hi everyone,

Seems it was a network problem.

As I understand it, my flux was routed to a gateway that was the usual standard one.

Turned out this was not the one I needed.

I used

route add -net xx.xx.xx.xx/yy gw zz.zz.zz.zz dev eth0

and then an update of 

/etc/netword/interfaces.d/eth0

(to permanently add the new route).

to fix the route toward my target monointance.

Works fine now.

Thanks everyone !

Ema

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...