I have 2 VMs, one running an indexer:
hostname "splunkbox"
ip 192.168.56.151
and one running a universal forwarder:
hostname "splunkforwarder"
ip 192.168.56.152
I'm getting this error on my forwarder:
WARN TcpOutputProc - Cooked connection to ip=192.168.56.151:9997 timed out
splunkforwarder's outputs.conf looks like this:
[tcpout]
defaultGroup=local_splunk
[tcpout:local_splunk]
server=splunkbox:9997
[tcpout-server://splunkbox:9997]
splunkbox's inputs.conf looks like this:
[default]
host = splunkbox
[tcp://:9997]
disabled=0
Connectivity between the two is in place:
# nc -v 192.168.56.151 9997
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.56.151:9997.
So what could the problem be?
I deleted my input stanza and used the receiving gui on the indexer, now it works.
For reference, here's what it created in inputs.conf:
[splunktcp://9997]
connection_host = ip
So I needed that instead of
[tcp://:9997]
disabled=0
I deleted my input stanza and used the receiving gui on the indexer, now it works.
For reference, here's what it created in inputs.conf:
[splunktcp://9997]
connection_host = ip
So I needed that instead of
[tcp://:9997]
disabled=0
Hello there,
many answers about this error in this portal:
https://answers.splunk.com/answers/38206/cooked-connection-timed-out.html
https://answers.splunk.com/answers/226566/why-are-we-getting-error-tcpoutputproc-cooked-conn.html
https://answers.splunk.com/answers/217841/cooked-connection-to-ip-timed-out.html
https://answers.splunk.com/answers/206760/tcpoutputproc-cooked-connection-to-ipxxxx9997-time.html
make sure you enabled receiving on the Indexes (splunkbox) side
http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Enableareceiver
i see in your question it reflect in inputs.conf but worthwhile to double check
another option is to try and replace the "splunkbox" with the ip on outputs.conf only to make sure
hope it helps
Thanks, one of them pointed me in the right direction. I'll write an answer to explain exactly what needed changing.
Yes, post it as an answer and then click Accept
(you should upvote @adonio, too).
What is a cooked connection?