So we've noticed this error on our heavy forwarder. I assume it means that our indexer cluster, for some reason, doesn't like the connection with the heavy forwarder?
It looks as if I'm not missing any data as we are still getting various logs from different sources, I'm just slightly concerned as to why this error is appearing if we seem to be getting the data still?
My ouputs.conf on the HF is shown below:
[indexAndForward]
index = false
[tcpout]
defaultGroup = default-autolb-group
forwardedindex.filter.disable = true
indexAndForward = false
disabled = 0
[tcpout:default-autolb-group]
indexerDiscovery = idxc1
useClientSSLCompression = true
clientCert = /opt/splunk/etc/apps/certificates/local/SplunkForwarderCert.pem
sslPassword = ***********
[indexer_discovery:idxc1]
master_uri = https://SPLUNK-P-CM.secretdomain.com:8089
pass4SymmKey = ************
Does anyone see anything wrong or does anyone need to see anything else?
↧
ERROR TcpOutputFd - Read error. Connection reset by peer -- Error occurring on our heavy forwarder
↧