Troubleshoot Splunk forwarder TCP tokens
You can control which forwarders in your Splunk Enterprise deployment have access to the indexers by setting up forwarder TCP tokens. In the case where a forwarder TCP token becomes corrupt, or the indexer to which the forwarder sends data rejects the token, that indexer generates an error message in its logs. A forwarder always tries to communicate with the indexer you have configured it to communicate with, regardless of whether or not the TCP token you have configured for it is valid.
To locate the bad forwarder token, increase the logging level of the indexer:
- Open a shell prompt.
- Using a text editor, edit
SPLUNK_HOME/etc/log.cfgas follows:category.TcpOutputProc=DEBUG category.TcpInputConfig=DEBUG category.TcpInputProc=DEBUG
- Save the file and close it.
- Restart the indexer.
When a token that a forwarder sends matches the token that the indexer receives, Splunk components generate the following messages:
Indexer:
09-15-2015 13:21:30.746 -0700 DEBUG TcpInputProc - Forwarder token matched
Universal Forwarder:
09-15-2015 13:24:00.343 -0700 DEBUG TcpOutputProc - Indexer can use tokens
When the tokens do not match, the indexer generates a message similar to the following:
09-15-2015 13:22:01.747 -0700 ERROR TcpInputProc - Exception: Token not sent by forwarder src=10.140.126.58:51838! for data received from src=10.140.126.58:51838 09-15-2015 13:52:14.803 -0700 ERROR TcpInputProc - Exception: Token sent by forwarder does not match configured tokens src=10.140.126.58:51990! for data received from src=10.140.126.58:51990
| SPL safeguards for risky commands | Avoid unintentional execution of fields within CSV files in third party applications |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Download manual
Feedback submitted, thanks!