- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is my connection from forarder to indexer timi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 VMs, one running an indexer:
hostname "splunkbox"
ip 192.168.56.151
and one running a universal forwarder:
hostname "splunkforwarder"
ip 192.168.56.152
I'm getting this error on my forwarder:
WARN TcpOutputProc - Cooked connection to ip=192.168.56.151:9997 timed out
splunkforwarder's outputs.conf looks like this:
[tcpout]
defaultGroup=local_splunk
[tcpout:local_splunk]
server=splunkbox:9997
[tcpout-server://splunkbox:9997]
splunkbox's inputs.conf looks like this:
[default]
host = splunkbox
[tcp://:9997]
disabled=0
Connectivity between the two is in place:
# nc -v 192.168.56.151 9997
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.56.151:9997.
So what could the problem be?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted my input stanza and used the receiving gui on the indexer, now it works.
For reference, here's what it created in inputs.conf:
[splunktcp://9997]
connection_host = ip
So I needed that instead of
[tcp://:9997]
disabled=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I deleted my input stanza and used the receiving gui on the indexer, now it works.
For reference, here's what it created in inputs.conf:
[splunktcp://9997]
connection_host = ip
So I needed that instead of
[tcp://:9997]
disabled=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
many answers about this error in this portal:
https://answers.splunk.com/answers/38206/cooked-connection-timed-out.html
https://answers.splunk.com/answers/226566/why-are-we-getting-error-tcpoutputproc-cooked-conn.html
https://answers.splunk.com/answers/217841/cooked-connection-to-ip-timed-out.html
https://answers.splunk.com/answers/206760/tcpoutputproc-cooked-connection-to-ipxxxx9997-time.html
make sure you enabled receiving on the Indexes (splunkbox) side
http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Enableareceiver
i see in your question it reflect in inputs.conf but worthwhile to double check
another option is to try and replace the "splunkbox" with the ip on outputs.conf only to make sure
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, one of them pointed me in the right direction. I'll write an answer to explain exactly what needed changing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, post it as an answer and then click Accept (you should upvote @adonio, too).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is a cooked connection?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
