Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwarder not compressing despite being told to do so

summitcove
New Member
‎10-05-2010 02:05 AM

Hi There. I have 2 matching forwarders pointed to an indexer. One compresses, one doesn't. Any ideas why?

Machine that works

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29000

[tcpout-server://splunklog:29000]
compressed = true

Machine that doesn't work

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29001

[tcpout-server://splunklog:29001]
compressed = true

Indexer (machine that receives)

cat /opt/splunk/etc/system/local/inputs.conf 
[default]
host = splunk.***********.com

[splunktcp://29000]
compressed = true
enableS2SHeartbeat = true

[splunktcp://29001]
compressed = true
enableS2SHeartbeat = true

Log that proves it (10...101 is the machine that doesn't send compressed)

tail /opt/splunk/var/logs/splunk/splunkd.log
10-04-2010 19:55:16.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41119
10-04-2010 19:55:16.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
10-04-2010 19:55:47.771 INFO  TcpInputProc - Connection in cooked mode from 10.***.****.101
10-04-2010 19:56:18.756 ERROR PipelineDataInput - Mismatch in configuration between forwarder and indexer. Expecting compressed data, but forwarder configured to send without compression
10-04-2010 19:56:18.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41120
10-04-2010 19:56:18.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
Tags (1)
0 Karma
Reply

rodman
New Member
‎01-09-2013 09:56 AM

I am also seeing the same behavior. My compression settings are also set the same as yours. Were you able to find an answer?

0 Karma
Reply

davidbrai
New Member
‎12-12-2010 08:42 PM

I'm having the same problem. Did you manage to fix it?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...