Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: TcpInputProc errors after turning on autoLB on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We recently started turning on 'autoLB' for our lightweight forwarders. We use the default value of 30 seconds for the forwarder to rotate from indexer to indexer.
It seems to work fine except that now we're see regular errors in splunkd.log from each forwarder as it decides to disconnect from each indexer. That is, we'll see
06-16-2010 12:14:15.337 INFO TcpInputProc - Connection in cooked mode from host.x.y.z 06-16-2010 12:14:15.478 INFO TcpInputProc - Valid signature found 06-16-2010 12:14:15.478 INFO TcpInputProc - Connection accepted from host.x.y.z
and then
06-16-2010 12:14:47.478 ERROR TcpInputProc - Error encountered for connection from host=host.x.y.z, ip=x.x.x.x. Connection closed by peer 06-16-2010 12:14:47.478 INFO TcpInputProc - Hostname=host.x.y.z closed connection
Because these forwarders are now going to be disconnect once per minute now, this is going to generate a lot of new "errors" in splunkd.log.
Can this be suppressed from splunkd.log as it's not really a sign of a problem as I understand it?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to support:
There was a bug reported and it was fixed in 4.1.3 release. Please upgrade to 4.1.3 to see if it works fine on your side. Bug#SPL-31032.
When we upgraded from 4.1.2 to 4.1.4 and this issue went away. FYI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to support:
There was a bug reported and it was fixed in 4.1.3 release. Please upgrade to 4.1.3 to see if it works fine on your side. Bug#SPL-31032.
When we upgraded from 4.1.2 to 4.1.4 and this issue went away. FYI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you certainly can change the log level for TcpInputProc from FATAL, but that might hide other problems. You could set it to just ERROR or WARN to get rid of the INFO messages, which should be fine.
I'd worry about why you are in fact getting the ERRORS though, and investigate whether there is something funny going on on your network.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The thing is that nothing has changed other than our usage of this autoLB functionality. Why would we get no errors of this kind of the forwarder is pinned to one indexer,but now get tons of them if we use autoLB? I find it hard to believe that this is a network issue. While I realize we could turn off this level of logging, but I'd hate to lose other messages of this log level.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To change the log level permanently, you have to edit $SPLUNK_HOME/etc/log.cfg. Changing it in the Manager GUI only lasts until splunkd is next shut down.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
