Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has the TCP output processor has paused the data flow and why has forwarding to output group default-autolb-group been blocked?

maryjomcguinnes
New Member
‎02-01-2018 08:20 AM

Please help me to resolve the following issue. It seems I am getting no data through now at all

Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data

Here is my output from running the following: splunk btool inputs list --debug

C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [fschange:C:\Program Files\Splunk\etc]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               delayInMills = 100
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               filesPerDelay = 10
C:\Program Files\Splunk\etc\system\default\inputs.conf                               followLinks = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               fullEvent = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               hashMaxSize = -1
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               pollPeriod = 600
C:\Program Files\Splunk\etc\system\default\inputs.conf                               recurse = true
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sendEventMaxSize = -1
C:\Program Files\Splunk\etc\system\default\inputs.conf                               signedaudit = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                [http]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                allowSslCompression = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                allowSslRenegotiation = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                dedicatedIoThreads = 2
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                disabled = 1
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                enableSSL = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                maxSockets = 0
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                maxThreads = 0
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                port = 8088
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                sslVersions = *,-ssl2
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                useDeploymentServer = 0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\etc\splunk.version]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _TCP_ROUTING = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _internal
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sourcetype = splunk_version
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   [monitor://C:\Program Files\Splunk\var\log\introspectio
n]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   index = _introspection
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\var\log\splunk]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _internal
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\var\log\splunk\licen
se_usage_summary.log]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _telemetry
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [monitor://C:\Windows\System32\DHCP]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 crcSalt = 
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = DhcpSrvLog
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 whitelist = DhcpSrvLog*
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [monitor://C:\Windows\WindowsUpdate.log]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = WindowsUpdateLog
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://CPU]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Processor Time; % User Time; % Privileged
Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/
sec; C2 Transitions/sec; C3 Transitions/sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Processor
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://LogicalDisk]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Free Space; Free Megabytes; Current Disk Q
ueue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Le
ngth; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec;
Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = LogicalDisk
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Memory]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Page Faults/sec; Available Bytes; Committed
Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Rea
ds/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page
Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver
Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transi
tion Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority
 Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Memory
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Network]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Bytes Total/sec; Packets/sec; Packets Receiv
ed/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Rec
eived Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec;
Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesc
ed Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Network Interface
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://PhysicalDisk]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Current Disk Queue Length; % Disk Time; Avg.
 Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer;
Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Writ
e Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = PhysicalDisk
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Process]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Processor Time; % User Time; % Privileged
Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Byte
s; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read
Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Byt
es/sec; IO Other Bytes/sec; Working Set - Private
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Process
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://System]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = File Read Operations/sec; File Write Operati
ons/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/
sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; F
loating Emulations/sec; % Registry Quota In Use
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = System
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [script]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               interval = 60.0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               start_by_shell = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [script://C:\Program Files\Splunk\bin\scripts\splunk-wm
i.path]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               disabled = 0
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               interval = 10000000
C:\Program Files\Splunk\etc\system\default\inputs.conf                               persistentQueueSize = 200MB
C:\Program Files\Splunk\etc\system\default\inputs.conf                               queue = winparsing
C:\Program Files\Splunk\etc\system\default\inputs.conf                               source = wmi
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sourcetype = wmi
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          [script://C:\Program Files\Splunk\etc/apps/splunk_instr
umentation/bin/instrumentation.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          disabled = false
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          index = _telemetry
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          interval = 5 3 * * *
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          passAuth = splunk-system-user
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          source = instrumentation_scripted_input
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          sourcetype = splunk_telemetry_log
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          [script://C:\Program Files\Splunk\etc/apps/splunk_instr
umentation/bin/on_splunk_start.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          disabled = false
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          interval = -1
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          passAuth = splunk-system-user
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [script://C:\Program Files\Splunk\etc\apps\Splunk_TA_wi
ndows\bin\win_installed_apps.bat]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 86400
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = Script:InstalledApps
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [script://C:\Program Files\Splunk\etc\apps\Splunk_TA_wi
ndows\bin\win_listening_ports.bat]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 3600
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = Script:ListeningPorts
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   [script://C:\Program Files\Splunk\etc\apps\introspectio
n_generator_addon\bin\collector.path]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   interval = 0
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   sourcetype = splunk_resource_usage__internal
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       [script://C:\Program Files\Splunk\etc\apps\splunk_monit
oring_console\bin\dmc_config.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       interval = -1
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       passAuth = splunk-system-user
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [splunktcp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               acceptFrom = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               route = has_key:_replicationBucketUUID:replicationQueue
;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\local\inputs.conf [splunktcp://9997]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\local\inputs.conf connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [tcp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               acceptFrom = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = dns
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [udp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default

C:\Program Files\Splunk\bin>splunk btool inputs list --debug
0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 08:23 AM

Hi, thanks for getting back to me iandrews. I have everything installed on the one Windows server. Splunk, universal forwarder etc. How do I check if the forwarder can connect to the inputs port?

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 09:24 AM

If the server you're monitoring is also the splunk server, then you should just have to change all those "disabled = 1" to "disabled = 0", for the inputs you want, and restart splunk.

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 09:42 AM

But I still need the Splunk App for Windows Infrastructure and Splunk Add-on for Windows and then just change all inputs in the inputs.conf to disabled=0 and then restart?

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 09:43 AM

that should be it. also, those apps have lots of documentation on splunkbase

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 07:54 AM

This usually happens when a forwarder cannot send something to an indexer. Is splunk running on your indexer? Is the input's port open? Can the forwarder connect to the input's port?

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 08:28 AM

Hi thanks for getting back to me. I have everything installed on the one Windows server I am using, Splunk Enterprise, Universal Forwarder, Windows app for Splunk and Windows add on and selected the Windows host as the deployment server. How can I tell if the forwarder can connect to the inputs port?
Can you let me know if this configuration is supported, I couldn't find anywhere in the documentation that it isn't.

Thanks in advance for your help

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 09:00 AM

I have everything installed on the one Windows server I am using, Splunk Enterprise, Universal Forwarder, Windows app for Splunk and Windows add on and selected the Windows host as the deployment server.

Do you have both splunk enterprise and splunk forwarder installed on the same machine?

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 09:03 AM

Yes I do. I didn't know whether I needed the universal forwarder or not as I really just wanted to monitor the Windows server itself. Is it ok to have both on the same machine?

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 09:06 AM

It is not, as both share some of the same ports. If the server you're monitoring is also the splunk server, then remove the universal forwarder. If your splunk server isn't the server you're monitoring, remove splunk enterprise.

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 09:15 AM

I see, so that might have caused the TCP error/warning? I will remove the Universal Forwarder then as the Splunk server is the server I am monitoring. Could I just double check with you what I need for this scenario then. Splunk Enterprise, Splunk App for Windows infrastructure, Splunk Add on for Windows for just monitoring the Windows server I have these installed on? I don't necessarily need the Active Directory app/add on?

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 09:31 AM

Ok thanks a lot for your help for now. Much appreciated

0 Karma
Reply

iandrews_splunk
Splunk Employee
Splunk Employee
‎02-06-2018 09:16 AM

that's correct

0 Karma
Reply

maryjomcguinnes
New Member
‎02-06-2018 08:28 AM

And yes Splunk seems to be running ok on the Windows server

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...