My forwarder can't connect to my splunk cloud sand...

xzhao · ‎01-09-2015

I followed by this doc
http://answers.splunk.com/answers/147295/how-do-i-send-my-own-data-into-a-splunk-cloud-sandbox-trial...

and my outputs.conf like below

[tcpout]
defaultGroup = sandbox

[tcpout:sandbox]
server = input-prd-p-xxxxxxxxxx.cloud.splunk.com:9997

but I got err msg from my splunkd.log like below

01-09-2015 00:26:35.174 -0800 INFO TcpOutputProc - Connected to idx=54.165.154.169:9997
01-09-2015 00:26:35.251 -0800 ERROR TcpOutputFd - Read error. Connection reset by peer
01-09-2015 00:26:35.251 -0800 INFO TcpOutputProc - Connection to 54.165.154.169:9997 closed. Read error. Connection reset by peer
01-09-2015 00:26:35.251 -0800 WARN TcpOutputProc - Applying quarantine to ip=54.165.154.169 port=9997 _numberOfFailures=9
01-09-2015 00:29:34.969 -0800 INFO TcpOutputProc - Removing quarantine from idx=54.165.154.169:9997

in my sandbox UI it showed

Listen on this port Status Actions
9997
Enabled

I think that port should be enabled, but my forwarder still can't connect to that.

how can I fix this?

yannK · ‎09-11-2015

You need to remove your custom outputs.conf, and download the splunkcloud forwarder credendials (from the app "universal forwarder" in the UI of the cloud sandbox instance)
Otherwise you may have a conflict with the defaultGroup definition. If you are not sure, use btool to verify,

My forwarder can't connect to my splunk cloud sandbox

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?