Getting Data In

The splunk receiver is not receiving the data from the Universal forwarder .

Engager

Hi I have installed both splunk enterprise and universal forwarder .I have added a receiver from splunk web interface and configured the forwarder to send data. But the Receiver is not receiving the data. Then i manually edited the inputs.conf for receiving the data, but still it is not receiving. It is showing the following exception in splunkd log--
ERROR TcpInputProc - Received unexpected 825371952 byte message (Invalid payload_size=825371952 received while in parseState=1)! from src=127.0.0.1:61811

The configuration are as follows:

Receiver: inputs.conf

[default]

host = admin-PC

[monitor://$SPLUNK_HOME\etc\splunk.version]

disabled = true

[monitor://$SPLUNK_HOME\var\log\splunk]

disabled = true

[batch://$SPLUNK_HOME\var\spool\splunk]

disabled = true

[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]

disabled = true

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]

disabled = true

[splunktcp://9002]

disabled=false

Forwarder :inputs.conf

[default]

host = admin-PC

[monitor://D:\seachange\log\datagateway.log]

index = main

disabled = false

Forwarder :outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = localhost:9002

sendCookedData = false

[tcpout-server://localhost:9002]

Now when i delete the receiver and configure a TCP input from Add Data section in web interface it starts receiving data but it also receives the data from Application/System log.How all this happening. I want only the receiver to collect data and the data should be only from the log i specified in inputs.conf in forwarder.FYI i am working on Windows 7 system.

I will highly appreciate any ones help.Please point me out where i am wrong.

0 Karma

Splunk Employee
Splunk Employee

Your outputs.conf on the forwarder seem to be sending to itself as "localhost"?

My forwarder looks like this, my indexer is .103
OUTPUTS:
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.1.103:9997

[tcpout-server://192.168.1.103:9997]

I also suspect that you enabled the windows-TA when you installed the forwarder, those .conf files are inside
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\etc\apps\ That is why you are getting Windows data but not your datagateway log.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!