Alerting

Connection Timed out and An existing connection was forcibly closed by the remote host

vino06
New Member

Hi Guys,

I am just a newbie in Splunk and this will be my first time to perform troubleshooting. I'm having a connection timed out with 6 of our servers and I think this is reason why there is no logs being forwarded to our Indexers. Also there is an error saying that "An existing connection was forcibly closed by the remote host". Hope anyone can help me on how to resolve this issue. Please see the screenshot below for reference.

alt text

alt text

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi vino06,
no there is another problem because Splunk Forwarders continuously send internal logs to Indexerds so the channel is used.

The problem is another: at first, are you sure about the available network bandwidth?

In addition: what storage do you used, in other words, disks are quick or not?
One usual problem of timeout is that Indexer is overloaded so cannot reach to index logs and put in wait transmission.
In these cases Forwarder caches its logs and send it as soon as connection is available, so you don't loose data.

Check performances and hardware requirements of your Indexer.

Bye.
Giuseppe

View solution in original post

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @vino06, If cusello solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vino06,
no there is another problem because Splunk Forwarders continuously send internal logs to Indexerds so the channel is used.

The problem is another: at first, are you sure about the available network bandwidth?

In addition: what storage do you used, in other words, disks are quick or not?
One usual problem of timeout is that Indexer is overloaded so cannot reach to index logs and put in wait transmission.
In these cases Forwarder caches its logs and send it as soon as connection is available, so you don't loose data.

Check performances and hardware requirements of your Indexer.

Bye.
Giuseppe

0 Karma

vino06
New Member

I already seek assistance with our FW team to check the connection of the servers going to our Indexers. Also i think your right saying that our Indexer is overload since we usually encounter this which results to "No Result found" on some of our server as well. But how can I fix the Connection Timed our or the Existing Connection has forcibly closed by remote host?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vino06,
Using Forwarders you don't loose events because it locally caches them and then sends them to Indexers as soon it's available.
Check if this is true in your situation, in other words see if you have in your indexer all the events of your files.
Anyway you can use Distributed Monitoring Console to check the Indexers health and its indexing load.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...