Getting Data In

One UF isn't connecting to the indexer

gregbo
Communicator

One of my forwarders is not connecting with the indexers. Another system that is identical is connecting just fine. I keep getting errors about the message being rejected because it's too big, but I can't figure out where to adjust the allowed message size. This error is from the indexer:

03-04-2020 15:45:26.122 +0000 ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=x.x.x.x:57186 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Compare outputs.conf on both the universal forwarders. Use btool command to list configurations and compare. Specially check if setting sendCookedData is set to false on UF which is not connecting. This error usually comes when a forwarder is sending uncooked data to indexer server.

./splunk cmd btool outputs list --debug

If sendCookedData = false change it to true and restart UF.

0 Karma

gregbo
Communicator

I checked, and both outputs.conf are identical (except for the sslPassword hash). Could it be something else? Is there a way to increase the "Maximum message size" that's mentioned in the error?

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

But a message can't be of size ~360MB. Looks like indexer is receiving uncooked data from forwarder. One way this happens when sendCookedData=false on UF.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...