Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Troubleshoot Splunk forwarder TCP tokens

You can control which forwarders in your Splunk Enterprise deployment have access to the indexers by setting up forwarder TCP tokens. In the case where a forwarder TCP token becomes corrupt, or the indexer to which the forwarder sends data rejects the token, that indexer generates an error message in its logs. A forwarder always tries to communicate with the indexer you have configured it to communicate with, regardless of whether or not the TCP token you have configured for it is valid.

To locate the bad forwarder token, increase the logging level of the indexer:

  1. Open a shell prompt.
  2. Using a text editor, edit SPLUNK_HOME/etc/log.cfg as follows: 
    category.TcpOutputProc=DEBUG
category.TcpInputConfig=DEBUG
category.TcpInputProc=DEBUG
  3. Save the file and close it.
  4. Restart the indexer.

When a token that a forwarder sends matches the token that the indexer receives, Splunk components generate the following messages:

Indexer: 

09-15-2015 13:21:30.746 -0700 DEBUG TcpInputProc -  Forwarder token matched

Universal Forwarder: 

09-15-2015 13:24:00.343 -0700 DEBUG TcpOutputProc - Indexer 
can use tokens

When the tokens do not match, the indexer generates a message similar to the following: 

09-15-2015 13:22:01.747 -0700 ERROR TcpInputProc - Exception:  Token not sent by 
forwarder src=10.140.126.58:51838! for data received from src=10.140.126.58:51838

09-15-2015 13:52:14.803 -0700 ERROR TcpInputProc - Exception:  Token sent by 
forwarder does not match configured tokens src=10.140.126.58:51990! 
for data received from src=10.140.126.58:51990
Last modified on 09 February, 2021
PREVIOUS
Safeguards for risky commands 		  NEXT
Avoid unintentional execution of fields within CSV files in third party applications

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters