Getting Data In

Problem in setting up forwarder and reciever ( Received unexpected 369295360 byte message)

mahajan_amit
Engager

I am trying to configure a universal forwarder and a splunk enterprise as a reciever on 2 different windows7 machines. Following are my .conf settings.

On Forwarder (inputs.conf) -

[default]
host = XXX

[monitor://D:\SplunkDat\xx*.log]

_TCP_ROUTING = xxx.xx.x.224

disabled = false

followtail = 0

sourcetype=iis

On Forwarder (ouputs.conf) -

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = xxx.xx.x.224:9997

[tcpout-server://xxx.xx.x.224:9997]

On Reciever (inputs.conf) -

[splunktcp://9997]

disabled = 0


But I am getting the following error in reciever's splunkd.log

ERROR TcpInputProc - Received unexpected 369295360 byte message (Invalid payload_size=369295360 received while in parseState=1)! from src=xxx.xx.17.16:49709

I am able to do telnet from forwarder to reciever on port 9997.
Could anyone give me an idea about what could be the problem here ?

Tags (2)

Heff
Splunk Employee
Splunk Employee

sendCookedData=true in outputs.conf

gethyn85
Engager

Hi guys,

I've had this problem twice (and forgot the solution as well). I thought I would post the answer for next time I have the same 🙂

It is to do with the deployment server, so when you setup the deploy poll functionality:

splunk set deploy-poll <host>:<port>

Make sure the port is the management port on the server (default is 8089) not the receiver listening port (default 9997). Check this in $SPLUNK_HOME/etc/system/local/deployment-client.conf.

The forwarder still goes to 9997 (or whatever the port you have set the receiver to):

splunk add forward-server <host>:<port> -auth <username>:<password>

This fixes it for me so I hope it helps.

Thanks,

Gethyn

uchaitanya
New Member

I have the same issue. Can anyone post answer for it. Thank you in advance. I am running splunk 6.x

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...