Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder to Splunk cloud suddenly stop: error tcpoutputfd 1158951 connection to host 9997 failed ssl error = no error

ThuLe
Explorer
a week ago

Hello,

I have  HF and UF act as intermediate forwarders and forward logs to Splunk Cloud. We installed the credentials (.spl file) download from Splunk Cloud, and the forwarders were working fine until November 28, they have stopped sending the log to Splunk cloud. The error in splunkd.log is:

ThuLe_0-1764992510512.png

Network team confirm that they not change anything on the FW

We have searched and tried re-downloading the credentials (.spl file) from Splunk Cloud and reinstalled them on the forwarders, but the same errors persist. The errors only disappear when we disable the credentials app 100_<cloud instance>_splunkcloud.

Has anyone experienced this issue? Please help

Thank you very much

0 Karma
Reply

PrewinThomas
Motivator
Sunday

@ThuLe 

Most probably network related.
-Check connectivity to Splunk Cloud -

telnet inputs1.STACKID.splunkcloud.com 9997

-Check Firewall/SSL inspection recently enabled or changed

#https://splunk.my.site.com/customer/s/article/Splunk-Universal-Forwarder-is-not-sending-events-to-Sp...

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply

livehybrid
SplunkTrust
SplunkTrust
Sunday

Hi @ThuLe 

From my experience with 104 socket error (ECONNRESET) it has been a firewall issue every time, even when I was told there was no firewall between the two points (spoiler - there was!) 

I found that where a firewall was either blocking the content or attempting SSL introspection then it can cause the 104 error (which is ECONNRESET)

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

As far as I remember, error 104 means problems on a tcp connection level. Troubleshoot the connection with your typical network-level tools (tcpdump, netcat...) and verify your firewall config/logs.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...