Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- WARN message when configuring universal forwarder ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WARN message when configuring universal forwarder to send data to Splunk Cloud free trial
I already configured my Splunk universal forwarder to send data to my Splunk cloud trial and I am getting this error.
10-24-2017 21:22:27.533 -0500 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 800 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
Dose anybody know what I am doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you disabled the firewall on your computer to send data out to the Splunk Cloud Instance? You'll need to open outbound traffic to TCP/9997, more specifically, you can do a DNS lookup on the Splunk Cloud domain name and allow traffic to that IP address.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm behind a proxy so I configured the server.conf but I still can not connect to the cloud, the error I'm getting is:
10-25-2017 09:52:47.292 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:52:47.292 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=59.350 seconds.
10-25-2017 09:52:49.510 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxxxxx.cloud.splunk.com"
10-25-2017 09:52:49.610 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxxx.cloud.splunk.com"
10-25-2017 09:53:51.641 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:53:51.641 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=80.978 seconds.
10-25-2017 09:54:03.233 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
what would be the best practice to implement splunk universal forwarder behind a proxy???
any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the answer, the local ports on the server are open, but I'm behind a proxy server; then I configured proxy settings but I still can not connect to the cloud, the error I'm getting is:
10-25-2017 09:07:39.281 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:07:39.281 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=41.107 seconds.
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxx.cloud.splunk.com"
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxx.cloud.splunk.com"
I do not know if it is the best option to forward events or there is another way to splunk universal forwarder behind the proxy server.
Thanks for the Memories! Splunk University, .conf25, and our Community
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
