The thing is that the network isn't being managed by me. I was just told to take advantage of HF (UF doesn't have access to the internet) and make everything up and running. But according to the customer, who is managing the network, there is nothing that could block communication between HF and UF. ... View more

My bad. It's typo. The second output is from HF.  Anyway I'm pasting it here again:  [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip host = $decideOnStartup index = default route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue [splunktcp://9997] _rcvbuf = 1572864 connection_host = 10.24.118.91 disabled = false host = $decideOnStartup index = discol ... View more

From UF [syslog] maxEventSize = 1024 priority = <13> type = udp [tcpout] ackTimeoutOnShutdown = 30 autoLBFrequency = 30 autoLBVolume = 0 blockOnCloning = true blockWarnThreshold = 100 cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256 compressed = false connectionTTL = 0 connectionTimeout = 20 defaultGroup = default-autolb-group disabled = false dropClonedEventsOnQueueFull = 5 dropEventsOnQueueFull = -1 ecdhCurves = prime256v1, secp384r1, secp521r1 forceTimebasedAutoLB = false forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_introspection|_internal|_telemetry) forwardedindex.filter.disable = false heartbeatFrequency = 30 indexAndForward = false maxConnectionsPerIndexer = 2 maxFailuresPerInterval = 2 maxQueueSize = auto readTimeout = 300 secsInFailureInterval = 1 sendCookedData = true sslQuietShutdown = false sslVersions = tls1.2 tcpSendBufSz = 0 useACK = false useClientSSLCompression = true writeTimeout = 300 [tcpout-server://172.23.11.216:9997] [tcpout:default-autolb-group] disabled = false server = 172.23.11.216:9997 sslPassword = password From UF [splunktcp] _rcvbuf = 1572864 acceptFrom = * connection_host = ip host = $decideOnStartup index = default route = has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue [splunktcp://9997] _rcvbuf = 1572864 connection_host = 10.24.118.91 disabled = false host = $decideOnStartup index = discol I've only just added connection_host setup , but it didn't make any difference.  Logfile: 11-17-2021 09:31:50.643 +0000 WARN TcpOutputProc [18893 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=172.23.11.216 inside output group default-autolb-group from host_src=ldcrapnvvip10 has been blocked for blocked_seconds=47000. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. 11-17-2021 09:32:26.647 +0000 ERROR TcpOutputFd [18894 TcpOutEloop] - Read error. Connection reset by peer 11-17-2021 09:32:26.648 +0000 ERROR TcpOutputFd [18894 TcpOutEloop] - Read error. Connection reset by peer 11-17-2021 09:32:26.648 +0000 WARN AutoLoadBalancedConnectionStrategy [18894 TcpOutEloop] - Applying quarantine to ip=172.23.11.216 port=9997 _numberOfFailures=2   ... View more

inputs.conf file from $SPLUNK_HOME/etc/apps/search/local [splunktcp://9997] disabled = false Forget my ignorance, but should I add this stanza to $SPLUNK_HOME/etc/system/local/inputs.conf file as well?    ... View more

@PickleRick I double-checked TLS/SSL configuration on both sides. Looks like default setting and it's the same. I've check memory utilization on HF and it's quite high:  96% memory is consumed. Could it be a culprit?  ... View more

@PickleRick ACK/RST packet turns up after 3-way handshake.  I caught some TLSv1 packets. Looks like TLS hello packet from UF towards HF, so your guess related to TLS mismatch can be right.  ... View more

@gcusello  I successfully did.  ... View more

Yes, there is. However, HF replys to UF with [RST,ACK] packets. This generally means that port is closed, but in reality it isn't. As I mentioned before, I can telnet to HF on port 8089. ... View more

[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] disabled = false server = 172.23.11.216:9997 [tcpout-server://172.23.11.216:9997]  172.23.11.216 is obviously address of HW.  ... View more

index=_internal host=<hostname_Heavy_Forwarder> OK index=_internal host=<hostname_Universal_Forwarder> Nothing index=* host=<hostname_Universal_Forwarder> Nothing @gcusello  Only data from HF are visible in the cloud.  ... View more

I added one logfile to being monitored under HF and can see results in a cloud. ... View more

It works. ... View more

Yes, I allowed traffic on these 3 ports, just to be on safe side firewall-cmd --zone=public --permanent --add-port=8000/tcp firewall-cmd --zone=public --permanent --add-port=9997/tcp firewall-cmd --zone=public --permanent --add-port=8089/tcp ... View more

Either input and output seem to be ok. ... View more

Hi @gcusello. I think I did, but currently doesn't have access to webgui. Can I confirm these settings in CLI?   regards, Sz  ... View more

Below is input config of HF. /opt/splunk/etc/system/default/inputs.conf [SSL] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/system/default/inputs.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 /opt/splunk/etc/system/default/inputs.conf ecdhCurves = prime256v1, secp384r1, secp521r1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf sslQuietShutdown = false /opt/splunk/etc/system/default/inputs.conf sslVersions = tls1.2 /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/run/splunk/search_telemetry/*search_telemetry.json] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _introspection /opt/splunk/etc/system/default/inputs.conf log_on_completion = 0 /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = search_telemetry /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_hec] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = stash_hec /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/...stash_new] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf crcSalt = <SOURCE> /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf queue = stashparsing /opt/splunk/etc/system/default/inputs.conf sourcetype = stash_new /opt/splunk/etc/system/default/inputs.conf time_before_close = 0 /opt/splunk/etc/system/default/inputs.conf [batch:///opt/splunk/var/spool/splunk/tracker.log*] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _internal /opt/splunk/etc/system/default/inputs.conf move_policy = sinkhole /opt/splunk/etc/system/default/inputs.conf sourcetype = splunkd_latency_tracker /opt/splunk/etc/system/default/inputs.conf [blacklist:/opt/splunk/etc/auth] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf [blacklist:/opt/splunk/etc/passwd] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf [fschange:/opt/splunk/etc] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf delayInMills = 100 /opt/splunk/etc/system/default/inputs.conf disabled = false /opt/splunk/etc/system/default/inputs.conf filesPerDelay = 10 /opt/splunk/etc/system/default/inputs.conf followLinks = false /opt/splunk/etc/system/default/inputs.conf fullEvent = false /opt/splunk/etc/system/default/inputs.conf hashMaxSize = -1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf pollPeriod = 600 /opt/splunk/etc/system/default/inputs.conf recurse = true /opt/splunk/etc/system/default/inputs.conf sendEventMaxSize = -1 /opt/splunk/etc/system/default/inputs.conf signedaudit = true /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf [http] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf ackIdleCleanup = true /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf allowSslCompression = true /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf allowSslRenegotiation = true /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf dedicatedIoThreads = 2 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf disabled = 1 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf enableSSL = 1 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxSockets = 0 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf maxThreads = 0 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf port = 8088 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf sslVersions = *,-ssl2 /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf useDeploymentServer = 0 /opt/splunk/etc/system/default/inputs.conf [monitor:///opt/splunk/etc/splunk.version] /opt/splunk/etc/system/default/inputs.conf _TCP_ROUTING = * /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _internal /opt/splunk/etc/system/default/inputs.conf sourcetype = splunk_version /opt/splunk/etc/apps/introspection_generator_addon/default/inputs.conf [monitor:///opt/splunk/var/log/introspection] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/apps/introspection_generator_addon/default/inputs.conf index = _introspection /opt/splunk/etc/system/default/inputs.conf [monitor:///opt/splunk/var/log/splunk] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _internal /opt/splunk/etc/system/default/inputs.conf [monitor:///opt/splunk/var/log/splunk/license_usage_summary.log] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _telemetry /opt/splunk/etc/system/default/inputs.conf [monitor:///opt/splunk/var/log/splunk/splunk_instrumentation_cloud.log*] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _telemetry /opt/splunk/etc/system/default/inputs.conf sourcetype = splunk_cloud_telemetry /opt/splunk/etc/system/default/inputs.conf [monitor:///opt/splunk/var/log/watchdog/watchdog.log*] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = _internal /opt/splunk/etc/apps/search/local/inputs.conf [monitor:///var/log/secure] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/apps/search/local/inputs.conf disabled = false /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/apps/search/local/inputs.conf index = discol /opt/splunk/etc/system/default/inputs.conf [script] /opt/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864 /opt/splunk/etc/system/default/inputs.conf host = $decideOnStartup /opt/splunk/etc/system/default/inputs.conf index = default /opt/splunk/etc/system/default/inputs.conf interval = 60.0 /opt/splunk/etc/system/default/inputs.conf start_by_shell = true ... View more

Hi  manjunathmeti,   Thanks for your effort.    Your query extracts field1 correctly, but field2 is empty.  No idea why. ... View more