Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "Received unexpected 369295360 byte message!" connecting to TCP input using java client SDK on Splunk 6.2?

preben12
Communicator
‎10-28-2014 11:16 AM

I'm testing the new Splunk version using the java client sdk, and are seeing problems connecting to a tcp receiver port 9997.

When connecting i'm using a serviceargs map with the values {host=localhost, port=9997, scheme=https, username=admin, password=password}

When doing Service.connect(args) i'm getting an error

could not connect to Splunk Server @ localhost:9997 - java.lang.RuntimeException: Remote host closed connection during handshake

From the splunkd.log there are log entries ->

10-28-2014 19:03:49.815 +0100 ERROR TcpInputProc - Message rejected. Received unexpected 369295360 byte message! from src=127.0.0.1:55247. Maximum message allowed: 67108864. (::)

There is no problem when using earlier versions of Splunk eg. 5.3

Best,
Preben

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 12:09 PM

The Service.connect method is used to connect to the Splunk REST API, which is against the management port. The port supplied in the ServiceArgs map refers to the management port. Note that TCP ports as configured in "Settings » Forwarding and receiving » Receive data » add new" (as you noted) are not HTTP/HTTPS - they are purely just TCP sockets, with no protocol on them.

I'm not sure how or why it worked in a previous version of Splunk - could it be that 9997 was actually your management port and not one defined as a TCP receiver?

View solution in original post

Reply
Solved! Jump to solution
Solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 12:09 PM

The Service.connect method is used to connect to the Splunk REST API, which is against the management port. The port supplied in the ServiceArgs map refers to the management port. Note that TCP ports as configured in "Settings » Forwarding and receiving » Receive data » add new" (as you noted) are not HTTP/HTTPS - they are purely just TCP sockets, with no protocol on them.

I'm not sure how or why it worked in a previous version of Splunk - could it be that 9997 was actually your management port and not one defined as a TCP receiver?

Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 12:28 PM

Ahh. you are right. Just took a step deeper. The connection is actually done using http against the management port using the Service.connect. Later the service instance can be used to get a tcp socket connection using the open method ->

 public Socket open(int port) throws IOException {
        return new Socket(this.host, port);
    }

Just forgot

Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:10 AM

When you say a "tcp receiver port of 9997" - is this a TCP input port (from inputs.conf) or the management port for Splunk (i.e. the default being 8089)?

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 11:16 AM

It's a tcp receiver port opened using the console -> Settings » Forwarding and receiving » Receive data » add new.

0 Karma
Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:24 AM

OK - Service.connect is used to connect to the management port (the REST API) - so you should use that port. Let me know if that makes sense.

0 Karma
Reply
Solved! Jump to solution

preben12
Communicator
‎10-30-2014 11:38 AM

I don't think thats correct. Look at the Service class this is a general class for connecting to Splunk using http(s) at the port you configured in the args map.
This has been working fine on previous versions of Splunk.

0 Karma
Reply
Solved! Jump to solution

ineeman
Splunk Employee
Splunk Employee
‎10-30-2014 11:45 AM

Can you share the code you have that you are using? I want to make sure I am following what you are doing.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...