connection errors when I restart splunk

RuthBishop · ‎05-08-2014

Hi I cannot get the universal forwarder to move to active mode.

I get the following error in splunkd logs. Can you help me sort this out.

05-08-2014 11:49:28.432 -C- Connection to host=10.1.1.xxx :9997 failed
05-08-2014 11:49:58.257 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:49:58.257 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.146 :9997 failed
05-08-2014 11:50:28.268 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:50:28.268 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.xxx :9997 failed
05-08-2014 11:50:58.261 -0400 WARN TcpOutputFd - Connect to 10.1.1.xxx:9997 fa iled. Connection refused
05-08-2014 11:50:58.261 -0400 ERROR TcpOutputFd - Connection to host=10.1.1.xxx :9997 failed
[root@d1asepric577 bin]# tail 200 /opt/splunkforwarder/var/log/splunk/splunkd.log

martin_mueller · ‎05-08-2014

Sounds as if the forwarder is getting a connection refused on port 9997 of 10.1.1.146 - make sure you have turned on receiving on that Splunk instance, and that the network path including firewalls is open.

martin_mueller · ‎05-08-2014

That's 10.1.1.136, the forwarder seems to complain about 10.1.1.146.

RuthBishop · ‎05-08-2014

I'm able to telent to the indexer on that port.

[root@d1asepric578 bin]# telnet d1asepric567 9997
Trying 10.1.1.136...
Connected to d1asepric567.
Escape character is '^]'.

But I agree something is blocking the connection and it seems to be on the forwarer side. I not quite sure were to look.

connection errors when I restart splunk

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms