Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Issue with forwarder. Couldn't complete HTTP reque...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with forwarder. Couldn't complete HTTP request: Connection timed out
I have several forwarders, all installed on Ubuntu 14.04 boxes. One of them stopped working but the rest are fine. After troubleshooting, the only difference on the one not working from the others is that when I try these commands:
./splunk list forward-server
./splunk show deploy-poll
I get an error which is "Couldn't complete HTTP request: Connection timed out"
These commands work on my other forwarders and immediately ask me for my credentials. When I try these commands on the box that isn't working, it takes about 30 seconds and then gives me that error. I can't find any information about this error online (I find the error but not anything about why a connection would time out. The outputs.conf file is the same on every box and any other .conf file I know about is the same.
Anyone know what would cause this or even a log file I can view that might give me a clue? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
go to
Etc/system/local/inputs.conf
[splunktcp://9997]
connection_host = none
restart Splunk server and it will be fixed. DNS is holding it all up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that a firewall is not running and blocking ports.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd check the ports on the box. When it seems like a box isn't listening, it's possible that it isn't listening.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheerful place to start at I can't find my data!
Especially the section which says -
-- Are my forwarders connecting to my receiver? Which IP addresses are connecting to Splunk as inputs, and how many times is each IP logged in metrics.log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the input. I ran the command "index=_internal source=metrics.log tcpin_connections | stats count by sourceIp" in Splunk and the IP address of the box is showing up. Does this mean that it is sending something to Splunk but Splunk is not displaying the events? What could cause Splunk to get events but not display them?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
