I am unable to send to Cribl Stream with Spunk HF/UF on version 9.1

Christopher Owen

Hello,

After upgrading my forwarders to the latest version of 9.1, I am no longer able to send to Cribl Stream. I am using the outputs.conf referenced here to send to my on-prem Stream instances:

[tcpout]

disabled = false

defaultGroup = cribl

[tcpout:cribl]

server = STREAM_IP:PORT

sendCookedData = true

forceTimebasedAutoLB = false

negotiateProtocolLevel = 0

However, no data is making it through. When I look in the Log section of my Source, I do see this error message:

Any idea what I can do for this issue?

Brendan Dalpe

Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.

[tcpout]
enableOldS2SProtocol = true

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

Christopher Owen

I have also received these messages in Stream:

Unsupported S2S protocol version detected. Please restart the Splunk source to force renegotiation of the protocol version.

unsupported op-code 13

unsupported op-code 45

Dumping last offending s2s v4 payload

Brendan Dalpe

Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.

[tcpout]
enableOldS2SProtocol = true

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

Geert van der Giessen

just spinned up some docker containers (Splunk forwarder 9.1.0.1 + Cribl 4.1.3).

Same issue here, splunkd.log shows:

07-14-2023 13:36:58.883 +0000 WARN  AutoLoadBalancedConnectionStrategy [1313 TcpOutEloop] - Indexer configured to use protocol level=0, which is no longer supported, will use the lowest supported protocol level=1

Geert van der Giessen

in the cribl source 'advanched settings, you have to change the 'Max S2S version'. By default its set to '3', you need to set it to '4'.

David Hoskins

"advanced settings, you have to change the 'Max S2S version'" This doesn't exist under advanced. So this doesn't work.

This works:

Place this on top of your outputs.conf file

[tcpout]
enableOldS2SProtocol = true