I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows
Connection to host=192.168.2.1:9997 failed (where 192.168.2.1 is splunk enterprise ) server.
I have referred to this solution but didn't work http://answers.splunk.com/answers/49833/splunk-forwarder-connection-refused-from-splunk-indexer.html
hi nitheeshp86,
do the usual troubleshooting like:
receiving
on the Splunk indexer? http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Enableareceiveradd any further troubleshooting steps here
cheers, MuS