search cancel

Events are not being forwarded to Splunk


Article ID: 175221


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


  • Events are not being forwarded to Splunk from Symantec Endpoint Detection and Response (SEDR) or Advanced Threat Protection (ATP).
  • There is a delay in event forwarding to Splunk from SEDR or ATP.

From the atp-splunk_connector.log you see the following error:

Upload failed with httpcode: [503], status code: [9], Reason: [Server is busy]


This can be caused by overloading the Splunk indexer.


This can be resolved on the Splunk side by switching from a single Splunk data collection node to a distributed deployment configuration.

Additional Information

It is possible the issue is different, in which case we recommend referring to Article Id: 215022 if necessary.  This article titled EDR stops sending events to Splunk refers to an issue where the time range trying to be collected may be too large and EDR may be purging the data before it can be forwarded to Splunk.