Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I recently installed the Universal forwarder in the local Machine, but I cannot see the windows logs sent to the indexes

MrBLeu
Loves-to-Learn
Thursday

01-09-2025 17:01:37.725 -0500 WARN  TcpOutputProc [4940 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=sbdcrib.splunkcloud.com inside output group default-autolb-group from host_src=CRBCITDHCP-01 has been blocked for blocked_seconds=1800. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
Friday
It seems that your target is SCP environment. Are you using SCP’s Universal Forwarder package from SCP? Based on those server names you have something else than AWS Victoria experience in use or otherwise you have wrong outputs.conf in use.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Thursday

Hi @MrBLeu ,

from your description I see that you configured your UF to send logs (using outputs.conf) and I suppose that you configured Indexer to receive logs.

If not go in [Settings > Forwarding and Receiving > Forwarding ] and configure the receiving port to use in the UF in outputs.conf.

Then, did your connection work anytime or not?

If never, check the connection using telnet from the UF to the IDX using the receivig port (by default 9997)

telnet <ip_IDX> 9997

 Ciao.

Giuseppe

0 Karma
Reply

kiran_panchavat
Builder
Thursday

@MrBLeu  Hey,  The servers configured in outputs.conf are not performing well. there could be many reasons:

- From the remote server, make sure you can reach the port on the indexer. Telnet or something
- Review the Splunkd logs on the windows server, grepping for the indexer ip
- Make sure it's listening on 9997, ss -l | grep 9997
- Check the logs on the Universal forwarder $SPLUNK_HOME/var/log/splunk/splunkd.log
- network issue from Universal forwarder to Indexer
- Indexers are overwhelmed with events coming in or busy in serving requests from search head.
- check all servers (indexers) in outputs.conf of forwarder are healthy (CPU and memory utilization).
- Check if you have deployed outputs.conf to indexers by mistake. generally indexers don't have outputs.conf.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.

I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...