Failed to resurrect x byte message!

eugenekogan · ‎03-13-2012

I am seeing a continuous stream of error messages on one of my indexers, such as this sample:

03-13-2012 15:28:33.861 +0000 WARN  PipelineInputChannel - channel "source::C:\Program Files\SplunkUniversalForwarder/var/log/splunk/splunkd.log|host::DC-SERVER-21|SplunkUniversalForwarder/var/log/splunk/splunkd-2|remoteport::2239" ended without a done-key
03-13-2012 15:28:34.034 +0000 ERROR TcpInputProc - Failed to resurrect 954 byte message! from src=10.9.81.21:2238
03-13-2012 15:28:34.934 +0000 ERROR TcpInputProc - Failed to resurrect 1338 byte message! from src=10.9.81.21:2250
03-13-2012 15:28:36.890 +0000 ERROR TcpInputProc - Failed to resurrect 1290 byte message! from src=10.9.81.21:2258
03-13-2012 15:28:37.442 +0000 ERROR TcpInputProc - Failed to resurrect 1262 byte message! from src=10.9.81.21:2247
03-13-2012 15:28:37.810 +0000 ERROR TcpInputProc - Failed to resurrect 1290 byte message! from src=10.9.81.21:2259
03-13-2012 15:28:39.911 +0000 ERROR TcpInputProc - Failed to resurrect 1290 byte message! from src=10.9.81.21:2267

Any ideas on how to identify the problem? The forwarder is running on Windows. Thanks!

wbfoxii · ‎05-14-2012

Forwarder is sending compressed data and the indexer is expecting uncompressed? or vice-versa? make sure outputs.conf on the forwarder and inputs.conf on the indexer are configured properly.

Failed to resurrect x byte message!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases