Getting Data In

Why has the TCP output processor has paused the data flow and why has forwarding to output group default-autolb-group been blocked?

New Member

Please help me to resolve the following issue. It seems I am getting no data through now at all

Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data

Here is my output from running the following: splunk btool inputs list --debug

C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [fschange:C:\Program Files\Splunk\etc]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               delayInMills = 100
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               filesPerDelay = 10
C:\Program Files\Splunk\etc\system\default\inputs.conf                               followLinks = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               fullEvent = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               hashMaxSize = -1
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               pollPeriod = 600
C:\Program Files\Splunk\etc\system\default\inputs.conf                               recurse = true
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sendEventMaxSize = -1
C:\Program Files\Splunk\etc\system\default\inputs.conf                               signedaudit = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                [http]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                allowSslCompression = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                allowSslRenegotiation = true
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                dedicatedIoThreads = 2
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                disabled = 1
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                enableSSL = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                maxSockets = 0
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                maxThreads = 0
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                port = 8088
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                sslVersions = *,-ssl2
C:\Program Files\Splunk\etc\apps\splunk_httpinput\default\inputs.conf                useDeploymentServer = 0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\etc\splunk.version]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _TCP_ROUTING = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _internal
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sourcetype = splunk_version
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   [monitor://C:\Program Files\Splunk\var\log\introspectio
n]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   index = _introspection
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\var\log\splunk]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _internal
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [monitor://C:\Program Files\Splunk\var\log\splunk\licen
se_usage_summary.log]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = _telemetry
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [monitor://C:\Windows\System32\DHCP]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 crcSalt = 
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = DhcpSrvLog
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 whitelist = DhcpSrvLog*
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [monitor://C:\Windows\WindowsUpdate.log]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = WindowsUpdateLog
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://CPU]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Processor Time; % User Time; % Privileged
Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/
sec; C2 Transitions/sec; C3 Transitions/sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Processor
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://LogicalDisk]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Free Space; Free Megabytes; Current Disk Q
ueue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Le
ngth; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec;
Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = LogicalDisk
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Memory]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Page Faults/sec; Available Bytes; Committed
Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Rea
ds/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page
Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver
Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transi
tion Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority
 Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Memory
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Network]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Bytes Total/sec; Packets/sec; Packets Receiv
ed/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Rec
eived Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec;
Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesc
ed Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Network Interface
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://PhysicalDisk]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = Current Disk Queue Length; % Disk Time; Avg.
 Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer;
Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Writ
e Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = PhysicalDisk
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://Process]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = % Processor Time; % User Time; % Privileged
Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Byte
s; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read
Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Byt
es/sec; IO Other Bytes/sec; Working Set - Private
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = Process
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [perfmon://System]
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 counters = File Read Operations/sec; File Write Operati
ons/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/
sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; F
loating Emulations/sec; % Registry Quota In Use
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = perfmon
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 instances = *
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 10
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 object = System
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 useEnglishOnly = true
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [script]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               interval = 60.0
C:\Program Files\Splunk\etc\system\default\inputs.conf                               start_by_shell = false
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [script://C:\Program Files\Splunk\bin\scripts\splunk-wm
i.path]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               disabled = 0
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               interval = 10000000
C:\Program Files\Splunk\etc\system\default\inputs.conf                               persistentQueueSize = 200MB
C:\Program Files\Splunk\etc\system\default\inputs.conf                               queue = winparsing
C:\Program Files\Splunk\etc\system\default\inputs.conf                               source = wmi
C:\Program Files\Splunk\etc\system\default\inputs.conf                               sourcetype = wmi
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          [script://C:\Program Files\Splunk\etc/apps/splunk_instr
umentation/bin/instrumentation.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          disabled = false
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          index = _telemetry
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          interval = 5 3 * * *
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          passAuth = splunk-system-user
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          source = instrumentation_scripted_input
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          sourcetype = splunk_telemetry_log
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          [script://C:\Program Files\Splunk\etc/apps/splunk_instr
umentation/bin/on_splunk_start.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          disabled = false
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          interval = -1
C:\Program Files\Splunk\etc\apps\splunk_instrumentation\default\inputs.conf          passAuth = splunk-system-user
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [script://C:\Program Files\Splunk\etc\apps\Splunk_TA_wi
ndows\bin\win_installed_apps.bat]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 86400
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = Script:InstalledApps
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 [script://C:\Program Files\Splunk\etc\apps\Splunk_TA_wi
ndows\bin\win_listening_ports.bat]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 disabled = 1
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 index = windows
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 interval = 3600
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 sourcetype = Script:ListeningPorts
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   [script://C:\Program Files\Splunk\etc\apps\introspectio
n_generator_addon\bin\collector.path]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   interval = 0
C:\Program Files\Splunk\etc\apps\introspection_generator_addon\default\inputs.conf   sourcetype = splunk_resource_usage__internal
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       [script://C:\Program Files\Splunk\etc\apps\splunk_monit
oring_console\bin\dmc_config.py]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       interval = -1
C:\Program Files\Splunk\etc\apps\splunk_monitoring_console\default\inputs.conf       passAuth = splunk-system-user
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [splunktcp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               acceptFrom = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               route = has_key:_replicationBucketUUID:replicationQueue
;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\local\inputs.conf [splunktcp://9997]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\local\inputs.conf connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [tcp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               acceptFrom = *
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = dns
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default
C:\Program Files\Splunk\etc\system\default\inputs.conf                               [udp]
C:\Program Files\Splunk\etc\system\default\inputs.conf                               _rcvbuf = 1572864
C:\Program Files\Splunk\etc\system\default\inputs.conf                               connection_host = ip
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dc_name =
C:\Program Files\Splunk\etc\apps\Splunk_TA_windows\local\inputs.conf                 evt_dns_name =
C:\Program Files\Splunk\etc\system\default\inputs.conf                               evt_resolve_ad_obj = 0
C:\Program Files\Splunk\etc\system\local\inputs.conf                                 host = nc048046
C:\Program Files\Splunk\etc\system\default\inputs.conf                               index = default

C:\Program Files\Splunk\bin>splunk btool inputs list --debug
0 Karma

New Member

Hi, thanks for getting back to me iandrews. I have everything installed on the one Windows server. Splunk, universal forwarder etc. How do I check if the forwarder can connect to the inputs port?

0 Karma

Splunk Employee
Splunk Employee

If the server you're monitoring is also the splunk server, then you should just have to change all those "disabled = 1" to "disabled = 0", for the inputs you want, and restart splunk.

0 Karma

New Member

But I still need the Splunk App for Windows Infrastructure and Splunk Add-on for Windows and then just change all inputs in the inputs.conf to disabled=0 and then restart?

0 Karma

Splunk Employee
Splunk Employee

that should be it. also, those apps have lots of documentation on splunkbase

0 Karma

Splunk Employee
Splunk Employee

This usually happens when a forwarder cannot send something to an indexer. Is splunk running on your indexer? Is the input's port open? Can the forwarder connect to the input's port?

0 Karma

New Member

Hi thanks for getting back to me. I have everything installed on the one Windows server I am using, Splunk Enterprise, Universal Forwarder, Windows app for Splunk and Windows add on and selected the Windows host as the deployment server. How can I tell if the forwarder can connect to the inputs port?
Can you let me know if this configuration is supported, I couldn't find anywhere in the documentation that it isn't.

Thanks in advance for your help

0 Karma

Splunk Employee
Splunk Employee

I have everything installed on the one Windows server I am using, Splunk Enterprise, Universal Forwarder, Windows app for Splunk and Windows add on and selected the Windows host as the deployment server.

Do you have both splunk enterprise and splunk forwarder installed on the same machine?

0 Karma

New Member

Yes I do. I didn't know whether I needed the universal forwarder or not as I really just wanted to monitor the Windows server itself. Is it ok to have both on the same machine?

0 Karma

Splunk Employee
Splunk Employee

It is not, as both share some of the same ports. If the server you're monitoring is also the splunk server, then remove the universal forwarder. If your splunk server isn't the server you're monitoring, remove splunk enterprise.

0 Karma

New Member

I see, so that might have caused the TCP error/warning? I will remove the Universal Forwarder then as the Splunk server is the server I am monitoring. Could I just double check with you what I need for this scenario then. Splunk Enterprise, Splunk App for Windows infrastructure, Splunk Add on for Windows for just monitoring the Windows server I have these installed on? I don't necessarily need the Active Directory app/add on?

0 Karma

New Member

Ok thanks a lot for your help for now. Much appreciated

0 Karma

Splunk Employee
Splunk Employee

that's correct

0 Karma

New Member

And yes Splunk seems to be running ok on the Windows server

0 Karma