Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: forwarder not compressing despite being told t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forwarder not compressing despite being told to do so
summitcove
New Member
10-05-2010
02:05 AM
Hi There. I have 2 matching forwarders pointed to an indexer. One compresses, one doesn't. Any ideas why?
Machine that works
cat /opt/splunk/etc/system/local/outputs.conf
[tcpout]
defaultGroup = my_indexers
indexAndForward = true
[tcpout:my_indexers]
compressed = true
server = splunklog:29000
[tcpout-server://splunklog:29000]
compressed = true
Machine that doesn't work
cat /opt/splunk/etc/system/local/outputs.conf
[tcpout]
defaultGroup = my_indexers
indexAndForward = true
[tcpout:my_indexers]
compressed = true
server = splunklog:29001
[tcpout-server://splunklog:29001]
compressed = true
Indexer (machine that receives)
cat /opt/splunk/etc/system/local/inputs.conf
[default]
host = splunk.***********.com
[splunktcp://29000]
compressed = true
enableS2SHeartbeat = true
[splunktcp://29001]
compressed = true
enableS2SHeartbeat = true
Log that proves it (10...101 is the machine that doesn't send compressed)
tail /opt/splunk/var/logs/splunk/splunkd.log
10-04-2010 19:55:16.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41119
10-04-2010 19:55:16.756 INFO TcpInputProc - Hostname=10.***.****.101 closed connection
10-04-2010 19:55:47.771 INFO TcpInputProc - Connection in cooked mode from 10.***.****.101
10-04-2010 19:56:18.756 ERROR PipelineDataInput - Mismatch in configuration between forwarder and indexer. Expecting compressed data, but forwarder configured to send without compression
10-04-2010 19:56:18.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41120
10-04-2010 19:56:18.756 INFO TcpInputProc - Hostname=10.***.****.101 closed connection
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rodman
New Member
01-09-2013
09:56 AM
I am also seeing the same behavior. My compression settings are also set the same as yours. Were you able to find an answer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidbrai
New Member
12-12-2010
08:42 PM
I'm having the same problem. Did you manage to fix it?
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open.
If ...
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
