Having trouble with routing problem with _TCP_ROUT...

okumar1 · ‎02-01-2023

Hi,

I am having trouble for routing the logs(first.txt) to separate index1/2 and second.txt to index3/4.

below are my environment

inputs.conf

[monitor:///home/odelakumar06/first.txt]
disabled = false
host = hf
index = firstone
sourcetype = firstone
_TCP_ROUTING = FirstGroupIndexer

[monitor:///home/odelakumar06/second.txt]
disabled = false
host = hf
index = secondone
sourcetype = secondone
_TCP_ROUTING = SecondGroupIndexer

and my outputs.conf is

[tcpout]
defaultGroup = FirstGroupIndexer,SecondGroupIndexer

[tcpout:FirstGroupIndexer]
disabled = false
server = 34.100.154.111:9997,35.244.6.201:9997

[tcpout:SecondGroupIndexer]
disabled = false
server = 34.100.190.134:9997,34.93.239.18:9997

and i have one SH and i added all the above indexes in SH.

when i search in SH index=firstone, nothing i am getting.

when i see splunkd log getting below errors. Please suggest

02-02-2023 06:33:10.051 +0000 ERROR TcpInputProc [1983 FwdDataReceiverThread] - Message rejected. Received unexpected message of size=1195725856 bytes from src=162.142.125.9:49748 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

host = indx-1
source =/opt/splunk/var/log/splunk/splunkd.log
sourcetype = splunkd

PaulPanther · ‎02-02-2023

@okumar1 Please provide some more information about your architecture. Are the 4 indexer part of one indexer cluster?

okumar1 · ‎02-03-2023

no all 4 indexers are standalone only and i have added all these 4 search peers into SH under distributed search. Please guide me

Having trouble with routing problem with _TCP_ROUTING?

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?