Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk forwarder not sending data to Indexer server

uagraw01
Motivator
‎06-04-2024 09:00 AM

Hello Team,

I have configured splunk forwarder and on which I am getting below error,

WARN TcpOutputProc [8204 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=WALVAU-VIDI-1 inside output group default-autolb-group from host_src=WALVAU-MCP-APP- has been blocked for blocked_seconds=400. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

 

Task : I want to send data from Splunk forwarder to Splunk enterprise server ( Indexer )

1.  I opened outbound port on UF 9997

2. Opened inbound port 9997 on indexer

outputs.conf on UF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = WALVAU-VIDI-1:9997

[tcpout-server://WALVAU-VIDI-1:9997]

inputs.conf on UF

[monitor://D:\BEXT\Walmart_VAU_ACP\Log\BPI*.log]
disabled = false
index = walmart_vau_acp
sourcetype = Walmart_VAU_ACP

Please help me to fix the issue. So that forwarder will send data to Indexer server.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

uagraw01
Motivator
‎06-05-2024 08:39 PM

@inventsekar @deepakc I have attached below screenshot and its showing the correct port opened and listening perfectly. Please validate at once.

ON Indexer

uagraw01_0-1717644894880.png

On UF

uagraw01_1-1717644916799.png

On indexer

uagraw01_2-1717644948995.png

On UF

uagraw01_3-1717645067588.png

 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-04-2024 12:00 PM

Hi @uagraw01 

1) pls check if all good with license.. do you see any warnings/errors related to license?

2) On the forwarder, pls check this:

$SPLUNK_HOME/bin/splunk btool outputs list --debug

3) On the indexer, pls check this:

$SPLUNK_HOME/bin/splunk btool inputs list --debug

(if $SPLUNK_HOME not setup properly, then add the exact path, like /opt/splunk)

4) from the UF, try to ping the indexer

5) from the UF, pls try to telnet the indexer at the receiving port

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

deepakc
Builder
‎06-04-2024 09:25 AM

This could be a number of things causing issues, that said tcp ouput is normally something related to the network or setup.

A few things to check:

What does the inputs.conf look like on your indexer?

Check on the indexer the port - should show your configured port 9997
netstat -tupln

Is there a firewall blocking this port?

Can your UF communicate to Indexer?

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...