Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cant get windows server into splunk

davidbeiler
Loves-to-Learn
‎11-27-2020 09:10 PM

Im pretty technical... i got splunk installed in centos, everything works ok, but for the life of me i cant figure this out

11-27-2020 23:53:54.093 -0500 WARN TcpOutputProc - The TCP output processor has paused the data flow. Forwarding to host_dest=192.168.1.109 inside output group default-autolb-group from host_src=splunk has been blocked for blocked_seconds=710. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Ports are open for 8000, 9997 (receiving port), and opened 8089.  Plenty of disk space, though when i do ss -l | grep 9997 i do not see anything for port 9997, even though ive unblocked the port 1000 times

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2020 11:26 PM

Hi @davidbeiler,

only one question: after the pause, you continued to have logs from this server or they stopped?

if they continued to arrive (eventually late) probably there was a temporary network congestion caused by the network and/or the data flow (I don't think because this seems a lab configuration) or more probably by the index queue caused by the storage performances.

If instead they don't arrive more, there's something in the middle that blocks the data flow:

  • are there other forwarders that are sending logs?
  • did you tested with telnet the connection on port 9997?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...