Getting Data In
Highlighted

WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

Explorer

I already configured my Splunk universal forwarder to send data to my Splunk cloud trial and I am getting this error.

10-24-2017 21:22:27.533 -0500 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 800 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Dose anybody know what I am doing wrong?

0 Karma
Highlighted

Re: WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

Splunk Employee
Splunk Employee

Have you disabled the firewall on your computer to send data out to the Splunk Cloud Instance? You'll need to open outbound traffic to TCP/9997, more specifically, you can do a DNS lookup on the Splunk Cloud domain name and allow traffic to that IP address.

0 Karma
Highlighted

Re: WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

Explorer

thanks for the answer, the local ports on the server are open, but I'm behind a proxy server; then I configured proxy settings but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:07:39.281 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:07:39.281 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=41.107 seconds.
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxx.cloud.splunk.com"
10-25-2017 09:07:48.813 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxx.cloud.splunk.com"

I do not know if it is the best option to forward events or there is another way to splunk universal forwarder behind the proxy server.

0 Karma
Highlighted

Re: WARN message when configuring universal forwarder to send data to Splunk Cloud free trial

Explorer

I'm behind a proxy so I configured the server.conf but I still can not connect to the cloud, the error I'm getting is:

10-25-2017 09:52:47.292 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:52:47.292 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=59.350 seconds.
10-25-2017 09:52:49.510 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="input-xxxxxxxxxx.cloud.splunk.com"
10-25-2017 09:52:49.610 -0500 ERROR TcpOutputProc - Processing server from outputs.conf: can't resolve a valid IP address for host="xxxxxx.cloud.splunk.com"

10-25-2017 09:53:51.641 -0500 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:
10-25-2017 09:53:51.641 -0500 INFO HttpPubSubConnection - Could not obtain connection, will retry after=80.978 seconds.
10-25-2017 09:54:03.233 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

what would be the best practice to implement splunk universal forwarder behind a proxy???

any ideas?

0 Karma