Hi,
I want to forward metrics and splunkd logs with /apps/**SplunkUniversalForwarder** app to my indexer via TCP 9997 port to manage forwarder, but there are some ERRORs. There are problems connecting to a tcp receiver port.
Splunk Version: 6.4.0
I am able to do telnet from forwarder to receiver on port 9997.
**Forwarder splunkd.log error & warning logs**
INFO TcpOutputProc - Connected to idx=yy.yy.yy.y7:9997
ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
INFO TcpOutputProc - Connection to yy.yy.yy.y7:9997 closed. Read error. An existing connection was forcibly closed by the remote host.
INFO TcpOutputProc - Connected to idx=yy.yy.yy.y7:9997
ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
INFO TcpOutputProc - Connection to yy.yy.yy.y7:9997 closed. Read error. An existing connection was forcibly closed by the remote host.
WARN TcpOutputProc - Applying quarantine to ip=yy.yy.yy.y7 port=9997 _numberOfFailures=2
WARN TcpOutputProc - Forwarding to indexer group **indexer blocked for 400 seconds.**
**Indexer splunkd.log error logs**
ERROR TcpInputProc - **Message rejected. Received unexpected 740320117 byte message!** from src=xx.xx.xx.x4:49215. Maximum message allowed: 67108864. (::)
ERROR TcpInputProc - **Message rejected. Received unexpected 740320117 byte message!** from src=xx.xx.xx.x4:49216. Maximum message allowed: 67108864. (::)
Forwarder configs
My **inputs.conf**
# Version 6.4.0
# these here just override and disable stuff that in system/default.
################################
# Data thru parsingQueue always
################################
[splunktcp]
route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue
################################
# Make sure these get forwarded
################################
[monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log]
_TCP_ROUTING = indexer
index = _internal
[monitor://$SPLUNK_HOME\var\log\splunk\metrics.log]
_TCP_ROUTING = indexer
index = _internal
My **outputs.conf**
# Version 6.4.0
[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
forwardedindex.filter.disable = false
defaultGroup=indexer
[tcpout:indexer]
server=yy.yy.yy.y7:9997
↧