Hello Splunkers,

I had an issue with a Splunk Universal Forwarder 6.3.1 (build f3e41e4b37b2) upgrade recently
and I wanted to share with you the issue and its resolution. Knowing that this could happen to anyone.

After the upgrade to 6.3.1 from version 5.07 this particular host would not send any data.
I must have checked the same serverclass entry 50 times. Then the app itself another 50 times as
that would show old timestamps as well under C:\Program Files\SplunkUniversalForwarder\etc\apps

After working with Support we found the below errors and sucesses in
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log on the forwarder.

Errors:
12-16-2015 10:18:54.142 -0400 WARN TcpOutputFd - Connect to xx.xxx.xx.xxx:9997 failed. No connection could be made because the target machine actively refused it.
12-16-2015 10:18:54.142 -0400 ERROR TcpOutputFd - Connection to host=xx.xxx.xx.xxx:9997 failed
12-16-2015 10:18:54.142 -0400 WARN TcpOutputProc - Applying quarantine to ip=xx.xxx.xx.xxx port=9997 _numberOfFailures=11
12-16-2015 13:43:33.377 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

Success messages (outputs.conf was fine 🙂 but nothing getting there or so I had thought.
12-16-2015 15:20:36.812 -0500 INFO TcpOutputProc - Connected to idx=xx.xxx.xx.xxx:9997 (indexer 1)
12-16-2015 15:21:06.920 -0500 INFO TcpOutputProc - Connected to idx=xx.xxx.xx.xxx:9997 (indexer 2)