Getting Data In

How to troubleshoot error "TcpOutputFd - Connection to xxx host failed." on the forwarder?

Explorer

I am getting a TcpOutputFd on the forwarder. Connection to xxx host failed.

4-22-2015 16:17:34.736 -0400 WARN  TcpOutputFd - Connect to :9997 failed. Connection refused
04-22-2015 16:17:34.745 -0400 ERROR TcpOutputFd - Connection to host=xxxxxx:9997 failed
04-22-2015 16:17:34.747 -0400 INFO  TcpOutputProc - Detected idx=hostname:9997 shutting down
04-22-2015 16:17:34.747 -0400 INFO  TcpOutputProc - Will close stream to current indexer xxxxxx

I removed the host ip and replaced with xxx. Where should I investigate this issue?

0 Karma
1 Solution

Explorer

Thanks to everyone. I found the tcp port was not setup in the inputs.conf file. Added the tcp entry and it is working.

View solution in original post

0 Karma

Explorer

Thanks to everyone. I found the tcp port was not setup in the inputs.conf file. Added the tcp entry and it is working.

View solution in original post

0 Karma

Contributor

Firstly, on Forwarder check to which instances it is sending the data to using
1. /opt/splunk/bin/splunk btool outputs lists --debug
once u get the output list(IP's)
2. Ping the IP's/IDX to check the connectivity

Go to the respective IP's/IDX and check the instance status
1. Server is up and running
2. Look for listening ports(netstat -an)
3. Check Splunk status and also the splunkd.logs

SplunkTrust
SplunkTrust

Hi pb0543,

usually a message connection refused means that the remote server is not listening on the requested port. So check if you enabled receiving on your indexer http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Enableareceiver and you're able to connect from the forwarder to the receiving port of the indexer (network routes, firewall and so on).

Hope this helps ...

cheers, MuS