Error 1 - ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
Error 2 - ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::enumEvtLogChannels: Failed to enumerate event log channels: '(1722)'.
Error 3 - WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 400 seconds.
this is my input.conf
[default]
host = MYSERVER4
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[splunktcp://9996]
Connection_host = none
output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = mysplunk.domain.com:9996
[tcpout-server://mysplunk.domain.com:9996]
please help. i can telnet into port 9996 and my splunk server = Forwarding and Receiving > Receiving on port 9996
This should NOT be part of the inputs.conf on your forwarder:
[splunktcp://9996]
Connection_host = none
The forwarder is blocking itself.
If I misunderstood and both of these files are on the indexer: then the indexer is forwarding to itself, and again, it will be blocking.
I see these types of messages often when I make similar typos...
This should NOT be part of the inputs.conf on your forwarder:
[splunktcp://9996]
Connection_host = none
The forwarder is blocking itself.
If I misunderstood and both of these files are on the indexer: then the indexer is forwarding to itself, and again, it will be blocking.
I see these types of messages often when I make similar typos...
i removed the [splunktcp://9996] Connection_host = none but the errors are still occuring
Are you running the Splunk service as a user or local system? When you disable the service and run the following command 'netstat -ano | findstr 9996' is there a record there?
Change the service to run as local system. Unless you are pulling logs remotely from that machine I don't see any need to run as a user account.
i do have a Red Hat splunk server
Sorry, I was talking about the universal forwarder. Make the actions I mentioned above on the host that is running the universal forwarder should be a windows machine. So let me know what user is running the service and what the results of the netstat command are.
Also, Add disabled = 0 under splunktcp:9996 on your indexer.
ok so the universal forwarder is running as Local System, i ran a netstat command - where do i find the results? after i ran the command nothing happens
Hi rsingh,
Can you edit your original post and let us know where you got each config from please. Ie was inputs.conf from indexer or universal forwarder and the same for outputs.conf
do you mean the location of the input and output.conf? if so i edit them from here
C:\Program Files\SplunkUniversalForwarder\etc\system\local
Splunk service is running as a local user, i stoped the service and run 'netstat -ano | findstr 9996
where should i look for the record?