Hi,
I just upgraded two Splunk LWF 4.1.4 to Splunk UF 4.2.1 , other Splunk instances ( middle forwarders and indexers) are still in 4.1.4 .
I found there are many error messages in middle forwarder (after I upgraded LWF) , for example :
"05-27-2011 17:11:11.297 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v3--! from hostname=172.30.5.39, ip=172.30.5.39, port=50588"
"05-27-2011 17:11:04.822 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v3--! from hostname=172.30.5.39, ip=172.30.5.39, port=56588"
"05-27-2011 17:10:57.976 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v3--! from hostname=172.20.3.141, ip=172.20.3.141, port=47021"
172.20.3.141 and 172.30.5.39 are UF , above messages exist in middle forwarders' splunkd.log
any idea ? thanks
Indexers should always be updated first; they're backward compatible with earlier forwarders, but that may not be true in reverse.
You may want to review this answers post. It is likely relevant to the issue you are observing:
Hi
thanks for your reply.
I think my issue may be is different , because I can see the events sent from UF was indexed properly ( I can search all events from UF ) .