I have an issue with our HEC service in our Splunk standalone installation (9.0.6). It simply does not complete the TCP connection for some unknown reason.
Local FW is OFF. Ping works but TCP does not complete the connection.
everything else works normally. I can connect to Splunk and search data, and universal forwarders report commonly (no deployment errors)... only HEC does not work as it should.
HEC global settings
from wireshark, the TCP retransmition can be seen but I can't find the root cause for it.
any idea of what could be happening?