We have updated our Terms of Service, Code of Conduct, and Addendum.

I am unable to send to Cribl Stream with Spunk HF/UF on version 9.1

Options
Christopher Owen
Christopher Owen Posts: 23
edited July 2023 in Stream

Hello,

After upgrading my forwarders to the latest version of 9.1, I am no longer able to send to Cribl Stream. I am using the outputs.conf referenced here to send to my on-prem Stream instances:

[tcpout]

disabled = false

defaultGroup = cribl

[tcpout:cribl]

server = STREAM_IP:PORT

sendCookedData = true

forceTimebasedAutoLB = false

negotiateProtocolLevel = 0

However, no data is making it through. When I look in the Log section of my Source, I do see this error message:

image.png

Any idea what I can do for this issue?

Tagged:

Best Answer

Answers

  • Christopher Owen
    Christopher Owen Posts: 23
    Options

    I have also received these messages in Stream:

    Unsupported S2S protocol version detected. Please restart the Splunk source to force renegotiation of the protocol version.

unsupported op-code 13

unsupported op-code 45

Dumping last offending s2s v4 payload


  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Answer ✓
    Options

    Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

    1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
    2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.
    [tcpout]
enableOldS2SProtocol = true

    https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

  • geert.vandergiessen
    geert.vandergiessen Posts: 2
    Options

    just spinned up some docker containers (Splunk forwarder 9.1.0.1 + Cribl 4.1.3).

    Same issue here, splunkd.log shows:

    07-14-2023 13:36:58.883 +0000 WARN  AutoLoadBalancedConnectionStrategy [1313 TcpOutEloop] - Indexer configured to use protocol level=0, which is no longer supported, will use the lowest supported protocol level=1

  • geert.vandergiessen
    geert.vandergiessen Posts: 2
    Options

    in the cribl source 'advanched settings, you have to change the 'Max S2S version'. By default its set to '3', you need to set it to '4'.

  • david.hoskins
    david.hoskins Posts: 1
    Options

    "advanced settings, you have to change the 'Max S2S version'" This doesn't exist under advanced. So this doesn't work.

    This works:

    Place this on top of your outputs.conf file

    [tcpout]
    enableOldS2SProtocol = true

Categories