Monitoring Splunk

Message rejected .Recevd unexpected 1532714272 byte message! ...

xsstest
Communicator

I am monitor a log file on data source server[IP :172.1.1.100] via UF.then sent it to a middle forwarder(Due to limited network access,I must need a middle forwarder). then middle forwarder forward it to cluster indexer.But my indexer did not receive any logs.I'm checked for _internal. get the followling error:

'TcpInputProc’ Message rejected .Recevd unexpected 1532714272 byte message! from src=172.1.1.100:42613 ,Maxinum message allowed:67108864.(::)

The following is inputs.conf and outputs.conf on data source server

cat /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/inputs.conf

[monitor:///data/www/logs/paycloud-app.log]
index=tomcat
sourcetype=tomcat_paycloud-app

cat /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/outputs.conf

[tcpout:indexer1]
server=172.21.1.111:9997
[tcpout]
defaultGroup = indexer1

The following is inputs.conf and outputs.conf on middle forwarder

cat /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/inputs.conf

[splunktcp://9997]
host=connection_ip

cat /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/outputs.conf

[indexer_discoverty:master1]
pass4SymmKey=123qwe!@#
master_uri=https://172.21.2.106

[tcpout:group1]
autoLBFrequency = 30
forceTimebasedAutoLB = true
indexerDiscovery = master1
useACK = true

Q: I confirmed the network is fully available.But why I do not receive any log?

Tags (1)
0 Karma

xsstest
Communicator

Does anyone know the answer?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...