Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no error

ThuLe
Explorer
‎12-05-2025 07:44 PM

Hello,

I have  HF and UF act as intermediate forwarders and forward logs to Splunk Cloud. We installed the credentials (.spl file) download from Splunk Cloud, and the forwarders were working fine until November 28, they have stopped sending the log to Splunk cloud. The error in splunkd.log is:

ThuLe_0-1764992510512.png

Network team confirm that they not change anything on the FW

We have searched and tried re-downloading the credentials (.spl file) from Splunk Cloud and reinstalled them on the forwarders, but the same errors persist. The errors only disappear when we disable the credentials app 100_<cloud instance>_splunkcloud.

Has anyone experienced this issue? Please help

Thank you very much

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎12-07-2025 02:12 PM

Hi @ThuLe 

From my experience with 104 socket error (ECONNRESET) it has been a firewall issue every time, even when I was told there was no firewall between the two points (spoiler - there was!) 

I found that where a firewall was either blocking the content or attempting SSL introspection then it can cause the 104 error (which is ECONNRESET)

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎12-07-2025 07:40 PM

@ThuLe 

Most probably network related.
-Check connectivity to Splunk Cloud -

telnet inputs1.STACKID.splunkcloud.com 9997

-Check Firewall/SSL inspection recently enabled or changed

#https://splunk.my.site.com/customer/s/article/Splunk-Universal-Forwarder-is-not-sending-events-to-Sp...

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎12-07-2025 02:12 PM

Hi @ThuLe 

From my experience with 104 socket error (ECONNRESET) it has been a firewall issue every time, even when I was told there was no firewall between the two points (spoiler - there was!) 

I found that where a firewall was either blocking the content or attempting SSL introspection then it can cause the 104 error (which is ECONNRESET)

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-05-2025 10:57 PM

As far as I remember, error 104 means problems on a tcp connection level. Troubleshoot the connection with your typical network-level tools (tcpdump, netcat...) and verify your firewall config/logs.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...