Getting Data In

WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

tomasnelson
Explorer

I already configured my Splunk universal forwarder to send data to my Splunk cloud trial and I am getting this error.

10-24-2017 21:22:27.533 -0500 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 800 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Dose anybody know what I am doing wrong?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Have you disabled the firewall on your computer to send data out to the Splunk Cloud Instance? You'll need to open outbound traffic to TCP/9997, more specifically, you can do a DNS lookup on the Splunk Cloud domain name and allow traffic to that IP address.

0 Karma

tomasnelson
Explorer

I'm behind a proxy so I configured the server.conf but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:52:47.292 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:52:47.292 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=59.350 seconds.
10-25-2017 09:52:49.510 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxxxxx.cloud.splunk.com"
10-25-2017 09:52:49.610 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxxx.cloud.splunk.com"

10-25-2017 09:53:51.641 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:53:51.641 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=80.978 seconds.
10-25-2017 09:54:03.233 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

what would be the best practice to implement splunk universal forwarder behind a proxy???

any ideas?

0 Karma

tomasnelson
Explorer

thanks for the answer, the local ports on the server are open, but I'm behind a proxy server; then I configured proxy settings but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:07:39.281 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:07:39.281 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=41.107 seconds.
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxx.cloud.splunk.com"
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxx.cloud.splunk.com"

I do not know if it is the best option to forward events or there is another way to splunk universal forwarder behind the proxy server.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...