Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

ericzabowski
Engager
‎05-08-2023 07:42 AM

Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cloud. Installing it on a new AWS host, running into the below errors when data inputs change. I've confirmed that the forwarder is reachable out from the host using telnet.

Any Ideas?

05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=2
05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=3
05-08-2023 10:35:09.601 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.648 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.679 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.726 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.773 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.773 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=3 _numberOfFailures=2
05-08-2023 10:35:09.804 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.804 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=2 _numberOfFailures=2
05-08-2023 10:35:09.851 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ericzabowski
Engager
‎06-13-2023 07:44 AM

Resolved - Outbound traffic was fine from the AWS host, but inbound traffic to our DC wasn't showing the traffic reaching the heavy forwarder.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ericzabowski
Engager
‎06-13-2023 07:44 AM

Resolved - Outbound traffic was fine from the AWS host, but inbound traffic to our DC wasn't showing the traffic reaching the heavy forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...