Getting Data In

getting errors from my splunk logs on monitor PC

rsingh
Explorer

Error 1 - ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.

Error 2 - ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::enumEvtLogChannels: Failed to enumerate event log channels: '(1722)'.

Error 3 - WARN TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 400 seconds.

this is my input.conf

[default]
host = MYSERVER4

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[splunktcp://9996]
Connection_host = none

output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = mysplunk.domain.com:9996

[tcpout-server://mysplunk.domain.com:9996]

please help. i can telnet into port 9996 and my splunk server = Forwarding and Receiving > Receiving on port 9996

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

This should NOT be part of the inputs.conf on your forwarder:

[splunktcp://9996]
Connection_host = none

The forwarder is blocking itself.

If I misunderstood and both of these files are on the indexer: then the indexer is forwarding to itself, and again, it will be blocking.

I see these types of messages often when I make similar typos...

View solution in original post

0 Karma

lguinn2
Legend

This should NOT be part of the inputs.conf on your forwarder:

[splunktcp://9996]
Connection_host = none

The forwarder is blocking itself.

If I misunderstood and both of these files are on the indexer: then the indexer is forwarding to itself, and again, it will be blocking.

I see these types of messages often when I make similar typos...

0 Karma

rsingh
Explorer

i removed the [splunktcp://9996] Connection_host = none but the errors are still occuring

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Are you running the Splunk service as a user or local system? When you disable the service and run the following command 'netstat -ano | findstr 9996' is there a record there?

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Change the service to run as local system. Unless you are pulling logs remotely from that machine I don't see any need to run as a user account.

0 Karma

rsingh
Explorer

i do have a Red Hat splunk server

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Sorry, I was talking about the universal forwarder. Make the actions I mentioned above on the host that is running the universal forwarder should be a windows machine. So let me know what user is running the service and what the results of the netstat command are.

Also, Add disabled = 0 under splunktcp:9996 on your indexer.

0 Karma

rsingh
Explorer

ok so the universal forwarder is running as Local System, i ran a netstat command - where do i find the results? after i ran the command nothing happens

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Hi rsingh,
Can you edit your original post and let us know where you got each config from please. Ie was inputs.conf from indexer or universal forwarder and the same for outputs.conf

0 Karma

rsingh
Explorer

do you mean the location of the input and output.conf? if so i edit them from here

C:\Program Files\SplunkUniversalForwarder\etc\system\local

0 Karma

rsingh
Explorer

Splunk service is running as a local user, i stoped the service and run 'netstat -ano | findstr 9996

where should i look for the record?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...