Hi I have installed both splunk enterprise and universal forwarder .I have added a receiver from splunk web interface and configured the forwarder to send data. But the Receiver is not receiving the data. Then i manually edited the inputs.conf for receiving the data, but still it is not receiving. It is showing the following exception in splunkd log--
ERROR TcpInputProc - Received unexpected 825371952 byte message (Invalid payload_size=825371952 received while in parseState=1)! from src=127.0.0.1:61811
The configuration are as follows:
Receiver: inputs.conf
[default]
host = admin-PC
[monitor://$SPLUNK_HOME\etc\splunk.version]
disabled = true
[monitor://$SPLUNK_HOME\var\log\splunk]
disabled = true
[batch://$SPLUNK_HOME\var\spool\splunk]
disabled = true
[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
disabled = true
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = true
[splunktcp://9002]
disabled=false
Forwarder :inputs.conf
[default]
host = admin-PC
[monitor://D:\seachange\log\datagateway.log]
index = main
disabled = false
Forwarder :outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = localhost:9002
sendCookedData = false
[tcpout-server://localhost:9002]
Now when i delete the receiver and configure a TCP input from Add Data section in web interface it starts receiving data but it also receives the data from Application/System log.How all this happening. I want only the receiver to collect data and the data should be only from the log i specified in inputs.conf in forwarder.FYI i am working on Windows 7 system.
I will highly appreciate any ones help.Please point me out where i am wrong.
Your outputs.conf on the forwarder seem to be sending to itself as "localhost"?
My forwarder looks like this, my indexer is .103
OUTPUTS:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.103:9997
[tcpout-server://192.168.1.103:9997]
I also suspect that you enabled the windows-TA when you installed the forwarder, those .conf files are inside
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\etc\apps\ That is why you are getting Windows data but not your datagateway log.