Getting Data In

Problem in setting up forwarder and reciever ( Received unexpected 369295360 byte message)


I am trying to configure a universal forwarder and a splunk enterprise as a reciever on 2 different windows7 machines. Following are my .conf settings.

On Forwarder (inputs.conf) -

host = XXX


_TCP_ROUTING = xxx.xx.x.224

disabled = false

followtail = 0


On Forwarder (ouputs.conf) -


defaultGroup = default-autolb-group


server = xxx.xx.x.224:9997


On Reciever (inputs.conf) -


disabled = 0

But I am getting the following error in reciever's splunkd.log

ERROR TcpInputProc - Received unexpected 369295360 byte message (Invalid payload_size=369295360 received while in parseState=1)! from src=xxx.xx.17.16:49709

I am able to do telnet from forwarder to reciever on port 9997.
Could anyone give me an idea about what could be the problem here ?

Tags (2)

Splunk Employee
Splunk Employee

sendCookedData=true in outputs.conf


Hi guys,

I've had this problem twice (and forgot the solution as well). I thought I would post the answer for next time I have the same 🙂

It is to do with the deployment server, so when you setup the deploy poll functionality:

splunk set deploy-poll <host>:<port>

Make sure the port is the management port on the server (default is 8089) not the receiver listening port (default 9997). Check this in $SPLUNK_HOME/etc/system/local/deployment-client.conf.

The forwarder still goes to 9997 (or whatever the port you have set the receiver to):

splunk add forward-server <host>:<port> -auth <username>:<password>

This fixes it for me so I hope it helps.



New Member

I have the same issue. Can anyone post answer for it. Thank you in advance. I am running splunk 6.x

0 Karma