Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk not accepting data from forwarder

anupamdt
New Member
‎08-18-2017 03:07 AM

I have installed Splunk universal forwarder on my local system where the enterprise instance is installed. After installing the forwarder I have done the required configurations as well but now I can see any data received from the forwarder. When I check the splunkd.log file I can see some messages like "TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 1430 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data."

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-18-2017 06:04 AM

I have installed Splunk universal forwarder on my local system where the enterprise instance is installed ///

Did you install universal forwarder on the local system where also Splunk Enterprise (Splunk indexer) is installed?!?! On the same single system?!?!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

anupamdt
New Member
‎08-20-2017 09:14 PM

Yes both of them are installed on the same system.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-18-2017 06:00 AM

Did you enable Splunk to listen on port 9997?

If so, you can start with this link

http://docs.splunk.com/Documentation/Splunk/6.6.2/Troubleshooting/Cantfinddata

0 Karma
Reply

anupamdt
New Member
‎08-20-2017 09:18 PM

I have enabled splunk to listen on 9997 port.
My input.conf looks like below:
[default]
host = DUTTAAN2
[splunktcp://9997]
disabled = 0
stopAcceptorAfterQBlock = 1200

The output.conf like:

[tcpout]
defaultGroup = default-autolb-group
indexAndForward = 0

[tcpout:default-autolb-group]
disabled = 0
server = localhost:9997

[tcpout-server://localhost:9997]

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...