Getting Data In

Problem in setting up forwarder and reciever ( Received unexpected 369295360 byte message)

mahajan_amit
Engager

I am trying to configure a universal forwarder and a splunk enterprise as a reciever on 2 different windows7 machines. Following are my .conf settings.

On Forwarder (inputs.conf) -

[default]
host = XXX

[monitor://D:\SplunkDat\xx*.log]

_TCP_ROUTING = xxx.xx.x.224

disabled = false

followtail = 0

sourcetype=iis

On Forwarder (ouputs.conf) -

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = xxx.xx.x.224:9997

[tcpout-server://xxx.xx.x.224:9997]

On Reciever (inputs.conf) -

[splunktcp://9997]

disabled = 0


But I am getting the following error in reciever's splunkd.log

ERROR TcpInputProc - Received unexpected 369295360 byte message (Invalid payload_size=369295360 received while in parseState=1)! from src=xxx.xx.17.16:49709

I am able to do telnet from forwarder to reciever on port 9997.
Could anyone give me an idea about what could be the problem here ?

Tags (2)

Heff
Splunk Employee
Splunk Employee

sendCookedData=true in outputs.conf

gethyn85
Engager

Hi guys,

I've had this problem twice (and forgot the solution as well). I thought I would post the answer for next time I have the same 🙂

It is to do with the deployment server, so when you setup the deploy poll functionality:

splunk set deploy-poll <host>:<port>

Make sure the port is the management port on the server (default is 8089) not the receiver listening port (default 9997). Check this in $SPLUNK_HOME/etc/system/local/deployment-client.conf.

The forwarder still goes to 9997 (or whatever the port you have set the receiver to):

splunk add forward-server <host>:<port> -auth <username>:<password>

This fixes it for me so I hope it helps.

Thanks,

Gethyn

uchaitanya
New Member

I have the same issue. Can anyone post answer for it. Thank you in advance. I am running splunk 6.x

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...