Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Splunk server tokens

If a forwarder TCP token is corrupt or rejected, the indexer that receives the token generates error messages in its logs. If you do not locate the bad token, that forwarder tries to use it indefinitely.

To locate the bad forwarder token, increase the logging level of the indexer:

  1. Open a shell prompt.
  2. Using a text editor, edit SPLUNK_HOME/etc/log.cfg as follows: 
    category.TcpOutputProc=DEBUG
category.TcpInputConfig=DEBUG
category.TcpInputProc=DEBUG
  3. Save the file and close it.
  4. Restart the indexer.

When a token that a forwarder sends matches the token that the indexer receives, the following messages are generated:

Indexer: 

09-15-2015 13:21:30.746 -0700 DEBUG TcpInputProc -  Forwarder token matched

Universal Forwarder: 

09-15-2015 13:24:00.343 -0700 DEBUG TcpOutputProc - Indexer 
can use tokens

When the tokens do not match, the indexer generates a message similar to the following: 

09-15-2015 13:22:01.747 -0700 ERROR TcpInputProc - Exception:  Token not sent by 
forwarder src=10.140.126.58:51838! for data received from src=10.140.126.58:51838

09-15-2015 13:52:14.803 -0700 ERROR TcpInputProc - Exception:  Token sent by 
forwarder does not match configured tokens src=10.140.126.58:51990! 
for data received from src=10.140.126.58:51990
Last modified on 26 February, 2019
PREVIOUS
Safeguards for risky commands 		  NEXT
Avoid malicious CSV files in searches

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters