cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
SyntaxError
Engager
Member since: ‎02-26-2021
‎03-01-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎02-26-2021
Activity Feed
View All

Re: Adding Heavy Forwarder disrupts data flow to/f...

by in Security & the Enterprise
‎03-01-2021 02:27 PM
‎03-01-2021 02:27 PM
Thanks for the insight.  Now, I know that I'm not approaching this in the best way.  But I don't even know if what I'm doing is correct.  Let me re-write this.     I am trying to send the Indexer logs and records to a Forwarder (both on a separate, child domain).  That Forwarder also interfaces with the Enterprise domain on a secondary NIC.  I need to configure that Forwarder to receive (request?) the Indexer logs and records (from child domain) and forward those to the Enterprise Splunk server (on the main domain).   Is this possible with a Universal Forwarder?  Or it is, but only with a Heavy Forwarder?  Your help is appreciated. ... View more

Adding Heavy Forwarder disrupts data flow to/from ...

by in Security & the Enterprise
‎02-26-2021 03:37 PM
‎02-26-2021 03:37 PM
Version: Splunk Enterprise 7.2.9.1   Problem: If I add a Forwarder, in this case a Heavy Forwarder -- all data flow to/from all Forwarders stops. This occurs when I am adding the forwarder using the Splunk web interface (Settings >> Forwarding and Receiving >> "New Forwarding Host") and/or using the command prompt. I start receiving messages citing: "The TCP output processor has paused the data flow. Forwarding to host_dest=###### from host_src=###### has been blocked for blocked_seconds=####"...."This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data." And after 15 of so minutes, all Forwarder statuses are Missing. Splunk remains in this state indefinitely until I remove the just added Forwarder(s).   Intention Turn a Universal Forwarder into a Heavy Forwarder:  to route Indexed records from this child domain's Indexer to the Enterprise-level domain Splunk server.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-01-2021 08:41 PM
Karma given to
View All