indexAndForward = 1

moohkhol · ‎01-09-2014

Hi Guys,
I know, many people have asked this question and i have gone through many post but still no clue to solve my problem.

I have set-up heavy forwarder ,
Path: /splunk/etc/system/default

inputs.conf

[monitor:///usr/local/.../test.log]
index = main
sourcetype = %sourcetype%

[splunktcp://9997]
connection_host = ip

outputs.conf

[tcpout]
defaultGroup = splunkindexer_9997

indexAndForward = 1

[tcpout:splunkindexer_9997]

autoLB = true

server = serverip:9997

[tcpout-server://serverip:9997]

Our indexer has installed on serverip and from GUI, i have added TCP input type where i have given index as main and sourcetype as sourcetype

I have restart many time and still i am getting error cooked connection and connection time out.

One interesting thing, at indexer side, if i am searching sourcetype=sourcetype I am getting cooked events from forwarder machine but actual log data are not getting forwarded.

Please suggest.

Ayn · ‎01-09-2014

From the looks of it you've configured a raw TCP input on port 9997 on the indexer rather than a receiving port. It needs to be splunktcp, not tcp in inputs.conf. Could you please paste relevant inputs.conf on the indexer?

View solution in original post

moohkhol · ‎01-10-2014

Thanks a lot Ayan, it's works for me, I have change splunktcp at indexer side.

Ayn · ‎01-10-2014

No problem. Please mark my answer as accepted.

Ayn · ‎01-09-2014

From the looks of it you've configured a raw TCP input on port 9997 on the indexer rather than a receiving port. It needs to be splunktcp, not tcp in inputs.conf. Could you please paste relevant inputs.conf on the indexer?

Cooked connection time out with splunk heavy forwarder

indexAndForward = 1

autoLB = true

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases