Getting Data In

Problem in setting up forwarder and reciever ( Received unexpected 369295360 byte message)


I am trying to configure a universal forwarder and a splunk enterprise as a reciever on 2 different windows7 machines. Following are my .conf settings.

On Forwarder (inputs.conf) -

host = XXX


_TCP_ROUTING = xxx.xx.x.224

disabled = false

followtail = 0


On Forwarder (ouputs.conf) -


defaultGroup = default-autolb-group


server = xxx.xx.x.224:9997


On Reciever (inputs.conf) -


disabled = 0

But I am getting the following error in reciever's splunkd.log

ERROR TcpInputProc - Received unexpected 369295360 byte message (Invalid payload_size=369295360 received while in parseState=1)! from src=xxx.xx.17.16:49709

I am able to do telnet from forwarder to reciever on port 9997.
Could anyone give me an idea about what could be the problem here ?

Tags (2)

Splunk Employee
Splunk Employee

sendCookedData=true in outputs.conf


Hi guys,

I've had this problem twice (and forgot the solution as well). I thought I would post the answer for next time I have the same 🙂

It is to do with the deployment server, so when you setup the deploy poll functionality:

splunk set deploy-poll <host>:<port>

Make sure the port is the management port on the server (default is 8089) not the receiver listening port (default 9997). Check this in $SPLUNK_HOME/etc/system/local/deployment-client.conf.

The forwarder still goes to 9997 (or whatever the port you have set the receiver to):

splunk add forward-server <host>:<port> -auth <username>:<password>

This fixes it for me so I hope it helps.



New Member

I have the same issue. Can anyone post answer for it. Thank you in advance. I am running splunk 6.x

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...