The TCP output processor has paused the data flow

Wierengaaj · ‎11-16-2020

I recently transitioned to a new instance of Splunk and have been having some trouble configuring the new environment.

I have 8 remote Windows hosts with identical forwarders (inputs.conf and outputs.conf are the same on all 8). 5 of the hosts are forwarding information correctly but 3 are reporting: "The TCP output processor has paused the data flow".

After reviewing some of the similar posts, it seems this error message is generic and just says there's nothing wrong with the forwarder, but there's something wrong with the server.

I reviewed the monitoring console but didn't see anything that would indicate the server or index not having the ability to receive more information.

teunlaan · ‎11-20-2020

Did you check firewall's? If your forwarder can't connect the indexer, you get the same message

The TCP output processor has paused the data flow

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

The TCP output processor has paused the data flow

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A