Skip to main content
Solved

I am unable to send to Cribl Stream with Spunk HF/UF on version 9.1

  • March 11, 2025
  • 5 replies
  • 107 views
Christopher Owen

Hello,

After upgrading my forwarders to the latest version of 9.1, I am no longer able to send to Cribl Stream. I am using the outputs.conf referenced here to send to my on-prem Stream instances:

[tcpout]
disabled = false
defaultGroup = cribl[tcpout:cribl]
server = STREAM_IP:PORT
sendCookedData = true
forceTimebasedAutoLB = false
negotiateProtocolLevel = 0

However, no data is making it through. When I look in the Log section of my Source, I do see this error message:

381_1226f8c6bab2437bbba11286e22ee1fc.png

Any idea what I can do for this issue?

Best answer by Brendan Dalpe

Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

  1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
  2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.
[tcpout]enableOldS2SProtocol = true

https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

    5 replies

    Christopher Owen

    I have also received these messages in Stream:

    Unsupported S2S protocol version detected. Please restart the Splunk source to force renegotiation of the protocol version.unsupported op-code 13unsupported op-code 45Dumping last offending s2s v4 payload
    B
    • Brendan Dalpe
    • Inspiring
    • Answer
    • March 11, 2025

    Starting in Splunk 9.1, the minimum S2S version is v4. The default Cribl max S2S version is v3 by default. You can do two things to fix this issue:

    1. Increase the max S2S version in the Cribl TCP source to v4 under Advanced Settings.
    2. Add the enableOldS2SProtocol=true setting to the tcpout stanza in out outputs.conf file.
    [tcpout]enableOldS2SProtocol = true

    https://docs.splunk.com/Documentation/Forwarder/9.1.0/Forwarder/Troubleshoottheuniversalforwarder#Problems_running_9.1_with_older_versions_of_idexers

    G

    just spinned up some docker containers (Splunk forwarder 9.1.0.1 + Cribl 4.1.3).

    Same issue here, splunkd.log shows:

    07-14-2023 13:36:58.883 +0000 WARN  AutoLoadBalancedConnectionStrategy [1313 TcpOutEloop] - Indexer configured to use protocol level=0, which is no longer supported, will use the lowest supported protocol level=1

    G

    in the cribl source 'advanched settings, you have to change the 'Max S2S version'. By default its set to '3', you need to set it to '4'.

    D
    • David Hoskins
    • New Participant
    • March 11, 2025

    "advanced settings, you have to change the 'Max S2S version'" This doesn't exist under advanced. So this doesn't work.

    This works:

    Place this on top of your outputs.conf file

    [tcpout]
    enableOldS2SProtocol = true

    Terms & ConditionsAccessibility statement