Getting Data In

WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

tomasnelson
Explorer

I already configured my Splunk universal forwarder to send data to my Splunk cloud trial and I am getting this error.

10-24-2017 21:22:27.533 -0500 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 800 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Dose anybody know what I am doing wrong?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Have you disabled the firewall on your computer to send data out to the Splunk Cloud Instance? You'll need to open outbound traffic to TCP/9997, more specifically, you can do a DNS lookup on the Splunk Cloud domain name and allow traffic to that IP address.

0 Karma

tomasnelson
Explorer

I'm behind a proxy so I configured the server.conf but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:52:47.292 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:52:47.292 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=59.350 seconds.
10-25-2017 09:52:49.510 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxxxxx.cloud.splunk.com"
10-25-2017 09:52:49.610 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxxx.cloud.splunk.com"

10-25-2017 09:53:51.641 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:53:51.641 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=80.978 seconds.
10-25-2017 09:54:03.233 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

what would be the best practice to implement splunk universal forwarder behind a proxy???

any ideas?

0 Karma

tomasnelson
Explorer

thanks for the answer, the local ports on the server are open, but I'm behind a proxy server; then I configured proxy settings but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:07:39.281 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:07:39.281 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=41.107 seconds.
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxx.cloud.splunk.com"
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxx.cloud.splunk.com"

I do not know if it is the best option to forward events or there is another way to splunk universal forwarder behind the proxy server.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...