Solved: Why has The TCP output processor paused data flow?

carlyleadmin · ‎09-21-2017

Hi,

i am not able to receive any data from my forwarder. It stopped working yesterday.port 9997 is open.connection is established.i can telnet to my server(which is my laptop).

here is the error from the splunkd from the forwarder

09-21-2017 15:20:51.293 -0400 WARN TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 82200 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

here is my input file from the forwarder server
[default]
host = HC1xxxxxxCV

[monitor://C:\Program Files (x86)..........]
disabled = false
followTail = 0
sourcetype=Data Import
ignoreOlderThan = 6d

here is my outputs file from the forwarder

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://rs1-sbaba-t440.xxxxxxxx:9997]

[tcpout:default-autolb-group]
disabled = false
server = rs1-sbaba-t440.xxxxxxxxxxxxx:9997,rs1-sbaba-t440:9997

[tcpout-server://rs1-sbaba-t440:9997]

i checked on my laptop the reeving is enabled

this is my input file from the receiver

[default]
host = rs1-sbaba-t440

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

i read something about internal que being blocked.and set the stopacceptafterqblock attribute on inputs file which i dont see in my receivers inputs file(under local folder)never change the conf files under default folder.

i've been banging my head for hours and since i am stuck probably missing something very simple but can't find it.anyhelp is appreciated.

this thing was working fine till yesterday and now all of a sudden i am not bale to get data

thanks,

carlyleadmin · ‎09-24-2017

alt text

View solution in original post

MattHatter · ‎12-04-2023

In my case, I forgot to enable listening on my indexers. (You'll need to do this on any heavy forwarders forwarders as well).

/opt/splunk/bin/splunk enable listen 9997

sbbadri · ‎09-25-2017

Try this

1) check indexers have enough space.
2) check Licesnse should not cross daily limit.
3) Try to simply outputs.conf like below.
outputs.conf.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = rs1-sbaba-t440.xxxxxxxxxxxxx:9997,rs1-sbaba-t440:9997

carlyleadmin · ‎09-25-2017

i just uninstalled the forwarder and reinstall it and it started working agan.it is odd

carlyleadmin · ‎09-24-2017

alt text

thejohn · ‎10-25-2017

Hi, i have the same problem but i don't understand how to resolve it.
Can you explicit me the solutions?
THanks

jkat54 · ‎09-22-2017

You should have something like

[splunktcp://9997]

In inputs.conf on the indexer. Which in this case is your laptop it sounds like.

Probably easiest for you to open the Splunk web ui on your laptop log in as admin, go to settings -> forwarding and receiving -> receiving ... enable receiving and specify port 9997.

carlyleadmin · ‎09-24-2017

receiving is enabled thru gui but when i check the inputs.config i dont see the stanza.

i tried adding it manually to the config and still no good.it shows inactive on forwarder when search for it.

i am on a trial license would that be the reason.daily volume issue?

jkat54 · ‎09-25-2017

Something isn't configured right... network, firewall, Splunk, etc.

On the forwarder, run this command:

$SPLUNK_HOME/bin/splunk btool outputs list --debug

On the indexer, run this command:

$SPLUNK_HOME/bin/splunk btool inputs list --debug

Make sure you're replacing $SPLUNK_HOME with the actual path to the Splunk folder.

Copy and paste the outputs here. Then we should be able to tell you if Splunk is configured correctly.

thejohn · ‎10-25-2017

I show you my outputs list, can you check if it's all correct? Thanks

/opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/apps/SplunkUniversalForward /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/apps/SplunkUniversalForward /opt/splunkforwarder/etc/apps/SplunkUniversalForward /opt/splunkforwarder/etc/apps/SplunkUniversalForward /opt/splunkforwarder/etc/apps/SplunkUniversalForward /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/default/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf /opt/splunkforwarder/etc/system/local/outputs.conf [syslog]
maxEventSize = 1024
priority = <13>
type = udp
er/default/outputs.conf [tcpout]
ackTimeoutOnShutdown = 30
autoLBFrequency = 30
autoLBVolume = 0
blockOnCloning = true
blockWarnThreshold = 100
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256
compressed = false
connectionTimeout = 20
defaultGroup = default-autolb-group
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
ecdhCurves = prime256v1, secp384r1, secp521r1
forceTimebasedAutoLB = false
er/default/outputs.conf forwardedindex.0.whitelist = .*
er/default/outputs.conf forwardedindex.1.blacklist = _.*
er/default/outputs.conf forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry)
er/default/outputs.conf forwardedindex.filter.disable = false
heartbeatFrequency = 30
indexAndForward = 0
maxConnectionsPerIndexer = 2
maxFailuresPerInterval = 2
maxQueueSize = auto
readTimeout = 300
secsInFailureInterval = 1
sendCookedData = true
sslQuietShutdown = false
sslVersions = tls1.2
tcpSendBufSz = 0
useACK = false
writeTimeout = 300
[tcpout-server://192.168.5.42:9997]
[tcpout:default-autolb-group]
disabled = 0
server = 192.168.5.42:9997

jkat54 · ‎10-25-2017

Open a new thread please.

Why has The TCP output processor paused data flow?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies