Skip to main content

Hello,

After upgrading my forwarders to the latest version of 9.1, I am no longer able to send to Cribl Stream. I am using the outputs.conf referenced here to send to my on-prem Stream instances:

[tcpout]
disabled = false
defaultGroup = cribl[tcpout:cribl]
server = STREAM_IP:PORT
sendCookedData = true
forceTimebasedAutoLB = false
negotiateProtocolLevel = 0

However, no data is making it through. When I look in the Log section of my Source, I do see this error message:

381_1226f8c6bab2437bbba11286e22ee1fc.png

Any idea what I can do for this issue?

I have also received these messages in Stream:

Unsupported S2S protocol version detected. Please restart the Splunk source to force renegotiation of the protocol version.unsupported op-code 13unsupported op-code 45Dumping last offending s2s v4 payload

Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

  1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
  2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.
[tcpout]enableOldS2SProtocol = true

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

just spinned up some docker containers (Splunk forwarder 9.1.0.1 + Cribl 4.1.3).

Same issue here, splunkd.log shows:

07-14-2023 13:36:58.883 +0000 WARN  AutoLoadBalancedConnectionStrategy 1313 TcpOutEloop] - Indexer configured to use protocol level=0, which is no longer supported, will use the lowest supported protocol level=1

in the cribl source 'advanched settings, you have to change the 'Max S2S version'. By default its set to '3', you need to set it to '4'.

"advanced settings, you have to change the 'Max S2S version'" This doesn't exist under advanced. So this doesn't work.

This works:

Place this on top of your outputs.conf file

[tcpout]

enableOldS2SProtocol = true

Reply


Terms & ConditionsCookie settings