Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarder not compressing despite being told to do so

summitcove
New Member
‎10-05-2010 02:05 AM

Hi There. I have 2 matching forwarders pointed to an indexer. One compresses, one doesn't. Any ideas why?

Machine that works

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29000

[tcpout-server://splunklog:29000]
compressed = true

Machine that doesn't work

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29001

[tcpout-server://splunklog:29001]
compressed = true

Indexer (machine that receives)

cat /opt/splunk/etc/system/local/inputs.conf 
[default]
host = splunk.***********.com

[splunktcp://29000]
compressed = true
enableS2SHeartbeat = true

[splunktcp://29001]
compressed = true
enableS2SHeartbeat = true

Log that proves it (10...101 is the machine that doesn't send compressed)

tail /opt/splunk/var/logs/splunk/splunkd.log
10-04-2010 19:55:16.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41119
10-04-2010 19:55:16.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
10-04-2010 19:55:47.771 INFO  TcpInputProc - Connection in cooked mode from 10.***.****.101
10-04-2010 19:56:18.756 ERROR PipelineDataInput - Mismatch in configuration between forwarder and indexer. Expecting compressed data, but forwarder configured to send without compression
10-04-2010 19:56:18.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41120
10-04-2010 19:56:18.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
Tags (1)
0 Karma
Reply

rodman
New Member
‎01-09-2013 09:56 AM

I am also seeing the same behavior. My compression settings are also set the same as yours. Were you able to find an answer?

0 Karma
Reply

davidbrai
New Member
‎12-12-2010 08:42 PM

I'm having the same problem. Did you manage to fix it?

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...