<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Unable to send data from an Universal Forwarder to a Splunk Server in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251109#M48356</link>
    <description>&lt;P&gt;We see -&lt;/P&gt;

&lt;P&gt;-- 07-08-2016 06:59:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out&lt;/P&gt;

&lt;P&gt;The following speaks about a similar issue - &lt;A href="https://answers.splunk.com/answers/38206/cooked-connection-timed-out.html"&gt;cooked connection timed out?&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;The issue there was - &lt;CODE&gt;found the issue - missing indexer cert&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;Maybe a similar thing is in your case...&lt;/P&gt;

&lt;P&gt;More about it at &lt;A href="https://answers.splunk.com/answers/206760/tcpoutputproc-cooked-connection-to-ipxxxx9997-time.html"&gt;TcpOutputProc - Cooked connection to ip=x.x.x.x:9997 timed out&lt;/A&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 11 Jul 2016 13:38:49 GMT</pubDate>
    <dc:creator>ddrillic</dc:creator>
    <dc:date>2016-07-11T13:38:49Z</dc:date>
    <item>
      <title>Unable to send data from an Universal Forwarder to a Splunk Server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251107#M48354</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;

&lt;P&gt;I'm new to splunk and I'm currently trying to set up a communications from a Universal Forwarder + Syslog NG server to a Splunk server.&lt;/P&gt;

&lt;P&gt;CONFIG&lt;/P&gt;

&lt;P&gt;On UForwarder side&lt;/P&gt;

&lt;P&gt;Inputs&lt;BR /&gt;
[default]&lt;BR /&gt;
host = syslog01.abc.local&lt;BR /&gt;
[monitor:////var/log/syslog-ng/logs/cisco/$HOST/$YEAR-$MONTH-$DAY-cisco.log]&lt;BR /&gt;
sourcetype = syslog&lt;BR /&gt;
index = cisco&lt;BR /&gt;
disabled = false&lt;BR /&gt;
host_segment = 6&lt;/P&gt;

&lt;P&gt;Outputs&lt;/P&gt;

&lt;P&gt;[tcpout]&lt;BR /&gt;
defaultGroup = default-autolb-group&lt;/P&gt;

&lt;P&gt;[tcpout:default-autolb-group]&lt;BR /&gt;
server = @.220:9997&lt;/P&gt;

&lt;P&gt;[tcpout-server://@.220:9997]&lt;/P&gt;

&lt;P&gt;On Splunk server side&lt;/P&gt;

&lt;P&gt;[default]&lt;BR /&gt;
host = frontlog.abc.local&lt;BR /&gt;
[splunktcp://9997]&lt;BR /&gt;
disabled=0&lt;/P&gt;

&lt;P&gt;SHOWS&lt;/P&gt;

&lt;P&gt;On Forwared side&lt;/P&gt;

&lt;P&gt;[root@syslog01 local]# netstat -anp | grep 9997&lt;BR /&gt;
tcp        0      1 @.219:48676     @.220:9997     SYN_SENT    2762/splunkd&lt;/P&gt;

&lt;P&gt;07-08-2016 06:59:51.093 +0200 WARN  TcpOutputProc - Cooked connection to ip=@.220:9997 timed out&lt;BR /&gt;
07-08-2016 07:00:21.094 +0200 WARN  TcpOutputProc - Cooked connection to ip=@.220:9997 timed out&lt;BR /&gt;
07-08-2016 07:00:43.602 +0200 WARN  TcpOutputProc - Forwarding to indexer group default-autolb-group blocked for 3400 seconds.&lt;BR /&gt;
07-08-2016 07:00:51.093 +0200 WARN  TcpOutputProc - Cooked connection to ip=@.220:9997 timed out&lt;BR /&gt;
07-08-2016 07:01:21.093 +0200 WARN  TcpOutputProc - Cooked connection to ip=@.220:9997 timed &lt;/P&gt;

&lt;P&gt;On server/receiver side:&lt;BR /&gt;
tcp        0      0 0.0.0.0:9997            0.0.0.0:*               LISTEN      7969/splunkd&lt;/P&gt;

&lt;P&gt;Nothing relevant on splunkd.log&lt;BR /&gt;
I've been able to telnet the server on port 9997.&lt;/P&gt;

&lt;P&gt;Thanks&lt;BR /&gt;
Best regards&lt;BR /&gt;
Franck&lt;/P&gt;</description>
      <pubDate>Mon, 11 Jul 2016 06:23:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251107#M48354</guid>
      <dc:creator>fstuder</dc:creator>
      <dc:date>2016-07-11T06:23:04Z</dc:date>
    </item>
    <item>
      <title>Re: Unable to send data from an Universal Forwarder to a Splunk Server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251108#M48355</link>
      <description>&lt;P&gt;Do you have set &lt;EM&gt;compressed = true&lt;/EM&gt; on UF or indexer side?&lt;/P&gt;</description>
      <pubDate>Mon, 11 Jul 2016 11:43:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251108#M48355</guid>
      <dc:creator>horsefez</dc:creator>
      <dc:date>2016-07-11T11:43:57Z</dc:date>
    </item>
    <item>
      <title>Re: Unable to send data from an Universal Forwarder to a Splunk Server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251109#M48356</link>
      <description>&lt;P&gt;We see -&lt;/P&gt;

&lt;P&gt;-- 07-08-2016 06:59:51.093 +0200 WARN TcpOutputProc - Cooked connection to ip=@.220:9997 timed out&lt;/P&gt;

&lt;P&gt;The following speaks about a similar issue - &lt;A href="https://answers.splunk.com/answers/38206/cooked-connection-timed-out.html"&gt;cooked connection timed out?&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;The issue there was - &lt;CODE&gt;found the issue - missing indexer cert&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;Maybe a similar thing is in your case...&lt;/P&gt;

&lt;P&gt;More about it at &lt;A href="https://answers.splunk.com/answers/206760/tcpoutputproc-cooked-connection-to-ipxxxx9997-time.html"&gt;TcpOutputProc - Cooked connection to ip=x.x.x.x:9997 timed out&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 11 Jul 2016 13:38:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251109#M48356</guid>
      <dc:creator>ddrillic</dc:creator>
      <dc:date>2016-07-11T13:38:49Z</dc:date>
    </item>
    <item>
      <title>Re: Unable to send data from an Universal Forwarder to a Splunk Server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251110#M48357</link>
      <description>&lt;P&gt;Can you telnet from your UF to your indexer on port 9997? &lt;/P&gt;</description>
      <pubDate>Mon, 11 Jul 2016 14:08:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Unable-to-send-data-from-an-Universal-Forwarder-to-a-Splunk/m-p/251110#M48357</guid>
      <dc:creator>ryanoconnor</dc:creator>
      <dc:date>2016-07-11T14:08:51Z</dc:date>
    </item>
  </channel>
</rss>

