Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

connection errors when I restart splunk

RuthBishop
New Member
‎05-08-2014 09:17 AM

Hi I cannot get the universal forwarder to move to active mode.

I get the following error in splunkd logs. Can you help me sort this out.

05-08-2014 11:49:28.432 -C- Connection to host=10.1.1.xxx :9997 failed
05-08-2014 11:49:58.257 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:49:58.257 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.146 :9997 failed
05-08-2014 11:50:28.268 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:50:28.268 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.xxx :9997 failed
05-08-2014 11:50:58.261 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:50:58.261 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.xxx :9997 failed
[root@d1asepric577 bin]# tail 200 /opt/splunkforwarder/var/log/splunk/splunkd.log

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2014 10:21 AM

Sounds as if the forwarder is getting a connection refused on port 9997 of 10.1.1.146 - make sure you have turned on receiving on that Splunk instance, and that the network path including firewalls is open.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-08-2014 10:48 AM

That's 10.1.1.136, the forwarder seems to complain about 10.1.1.146.

0 Karma
Reply

RuthBishop
New Member
‎05-08-2014 10:42 AM

I'm able to telent to the indexer on that port.

[root@d1asepric578 bin]# telnet d1asepric567 9997
Trying 10.1.1.136...
Connected to d1asepric567.
Escape character is '^]'.

But I agree something is blocking the connection and it seems to be on the forwarer side. I not quite sure were to look.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...