Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk forwarder not sending data to Indexer server

uagraw01
Motivator
‎06-04-2024 09:00 AM

Hello Team,

I have configured splunk forwarder and on which I am getting below error,

WARN TcpOutputProc [8204 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=WALVAU-VIDI-1 inside output group default-autolb-group from host_src=WALVAU-MCP-APP- has been blocked for blocked_seconds=400. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

 

Task : I want to send data from Splunk forwarder to Splunk enterprise server ( Indexer )

1.  I opened outbound port on UF 9997

2. Opened inbound port 9997 on indexer

outputs.conf on UF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = WALVAU-VIDI-1:9997

[tcpout-server://WALVAU-VIDI-1:9997]

inputs.conf on UF

[monitor://D:\BEXT\Walmart_VAU_ACP\Log\BPI*.log]
disabled = false
index = walmart_vau_acp
sourcetype = Walmart_VAU_ACP

Please help me to fix the issue. So that forwarder will send data to Indexer server.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

uagraw01
Motivator
‎06-05-2024 08:39 PM

@inventsekar @deepakc I have attached below screenshot and its showing the correct port opened and listening perfectly. Please validate at once.

ON Indexer

uagraw01_0-1717644894880.png

On UF

uagraw01_1-1717644916799.png

On indexer

uagraw01_2-1717644948995.png

On UF

uagraw01_3-1717645067588.png

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-04-2024 12:00 PM

Hi @uagraw01 

1) pls check if all good with license.. do you see any warnings/errors related to license?

2) On the forwarder, pls check this:

$SPLUNK_HOME/bin/splunk btool outputs list --debug

3) On the indexer, pls check this:

$SPLUNK_HOME/bin/splunk btool inputs list --debug

(if $SPLUNK_HOME not setup properly, then add the exact path, like /opt/splunk)

4) from the UF, try to ping the indexer

5) from the UF, pls try to telnet the indexer at the receiving port

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

deepakc
Builder
‎06-04-2024 09:25 AM

This could be a number of things causing issues, that said tcp ouput is normally something related to the network or setup.

A few things to check:

What does the inputs.conf look like on your indexer?

Check on the indexer the port - should show your configured port 9997
netstat -tupln

Is there a firewall blocking this port?

Can your UF communicate to Indexer?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...