Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is heavy forwarder unable to send data to indexer?

vksplunk1
Explorer
‎06-22-2022 11:52 AM

Hi Good Afternoon,

Our Heavy Forwarder is unable to forward to one of the indexer but able to send data another indexer. Here is what I saw in splunkd.log of Heavy Forwarder:

06-22-2022 13:24:03.471 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=xx.xx.xxx.xxx port=9996 _numberOfFailures=2
06-22-2022 13:24:03.473 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.473 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=yy.yy.yy.yy port=9996 _numberOfFailures=2

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-22-2022 12:06 PM

Was it ever able to connect?  If so, what changed since then?

Port 9996 is non-standard.  Is the HF using the correct port?  Are all indexers listening on that port?  Are all firewalls allowing connections to that port?

The quoted log is reporting errors connecting to two indexers rather than one.  Perhaps the problem is more widespread.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vksplunk1
Explorer
‎06-22-2022 01:08 PM

Thank you for your response. If configure to send data to only one indexer it's working fine.  This is an issue only when HF outputs.conf to send data to multiple indexers based on a REGEX 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-22-2022 04:59 PM

Please share the HF's outputs.conf (use btool).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vksplunk1
Explorer
‎06-23-2022 12:16 PM

Thank you for looking in to. Here is OUTPUTS.CONF:

 

[tcpout:sndIndexers]
server = indexer1:9996
sslPassword = <<Password>>

[tcpout:tstIndexers]
server = indexer2:9996
sslPassword = <<password2>>

0 Karma
Reply

vksplunk1
Explorer
‎06-24-2022 06:25 AM

Thank you for looking in to it. I furthur looked in to the logs and found errors from indexer(s) also:

 

On Heavy Forwarder:
====================
06-22-2022 13:24:03.471 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.472 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=xx.xx.xx.xx port=9996 _numberOfFailures=2
06-22-2022 13:24:03.473 -0400 ERROR TcpOutputFd [19320 TcpOutEloop] - Read error. Connection reset by peer
06-22-2022 13:24:03.473 -0400 WARN AutoLoadBalancedConnectionStrategy [19320 TcpOutEloop] - Applying quarantine to ip=yy.yy.yy.yy port=9996 _numberOfFailures=2

On Indexers:
==============

TcpInputProc [27164 FwdDataReceiverThread] - Error encountered for connection from src=xxxxx error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 07:15 AM

That looks like an SSL problem.  Make sure the forwarder is using https and has the right certificate for the indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vksplunk1
Explorer
‎06-24-2022 12:00 PM

Thank you again.

 

Where can I find the password sslPassword for OUTPUTS.CONF

 

[tcpout:sndIndexers]
server = xx.xx.xx.xx:9996
sslPassword = 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 01:14 PM

Ask the person who created the certificate.  Failing that, you'll likely have to re-generate the certificate with a new password.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2022 12:36 PM

Where's the part where you send to multiple indexers using regex?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

vksplunk1
Explorer
‎06-23-2022 01:36 PM

It's in TRANSFORMS.CONF:

[xxxx]
REGEX=xxxxxx
DEST_KEY=_TCP_ROUTING
FORMAT=sndIndexers

[yyyy]
REGEX=yyyyy
DEST_KEY=_TCP_ROUTING
FORMAT=tstIndexers

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...