Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

forwarder not compressing despite being told to do so

summitcove
New Member
‎10-05-2010 02:05 AM

Hi There. I have 2 matching forwarders pointed to an indexer. One compresses, one doesn't. Any ideas why?

Machine that works

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29000

[tcpout-server://splunklog:29000]
compressed = true

Machine that doesn't work

cat /opt/splunk/etc/system/local/outputs.conf 
[tcpout]
defaultGroup = my_indexers
indexAndForward = true

[tcpout:my_indexers]
compressed = true
server = splunklog:29001

[tcpout-server://splunklog:29001]
compressed = true

Indexer (machine that receives)

cat /opt/splunk/etc/system/local/inputs.conf 
[default]
host = splunk.***********.com

[splunktcp://29000]
compressed = true
enableS2SHeartbeat = true

[splunktcp://29001]
compressed = true
enableS2SHeartbeat = true

Log that proves it (10...101 is the machine that doesn't send compressed)

tail /opt/splunk/var/logs/splunk/splunkd.log
10-04-2010 19:55:16.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41119
10-04-2010 19:55:16.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
10-04-2010 19:55:47.771 INFO  TcpInputProc - Connection in cooked mode from 10.***.****.101
10-04-2010 19:56:18.756 ERROR PipelineDataInput - Mismatch in configuration between forwarder and indexer. Expecting compressed data, but forwarder configured to send without compression
10-04-2010 19:56:18.756 ERROR TcpInputProc - Received unrecognized signature --splunk-cooked-mode-v2--! from hostname=10.***.****.101, ip=10.***.****.101, port=41120
10-04-2010 19:56:18.756 INFO  TcpInputProc - Hostname=10.***.****.101 closed connection
Tags (1)
0 Karma
Reply

rodman
New Member
‎01-09-2013 09:56 AM

I am also seeing the same behavior. My compression settings are also set the same as yours. Were you able to find an answer?

0 Karma
Reply

davidbrai
New Member
‎12-12-2010 08:42 PM

I'm having the same problem. Did you manage to fix it?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...