I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows
Connection to host=192.168.2.1:9997 failed (where 192.168.2.1 is splunk enterprise ) server.
I have referred to this solution but didn't work http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer.html
do the usual troubleshooting like:
add any further troubleshooting steps here