Why am I getting "Connection to host=:9997 failed"...

nitheeshp86 · ‎11-19-2014

I have configured a universal forwarder on one of our Linux systems. When i check the logs it shows

Connection to host=192.168.2.1:9997 failed (where 192.168.2.1 is splunk enterprise ) server.

MuS · ‎11-19-2014

hi nitheeshp86,

do the usual troubleshooting like:

can your frowarder telnet to the ip and port?
check firewall rules and IP routing
check on the OS level of your indexer, if you see/get packet from the forwarder
did you enable receiving on the Splunk indexer? http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Enableareceiver
is your Splunk indexer running?
add any further troubleshooting steps here

cheers, MuS

Why am I getting "Connection to host=:9997 failed" after configuring a universal forwarder on Linux?