Why am I getting timeout issues from Splunk forwar...

raindrop18 · ‎08-15-2016

I have a random time out issue from Splunk forwarders to the Splunk intermediate (heavy) forwarder.

When I do netstat -al | grep 9997, I get:

splunkndx-9997 SYN_SENT
splunkndx-9997 FIN_WAIT1

from universal forwarder side splunkd.log

08-16-2016 02:08:50.047 +0000 WARN  TcpOutputProc - Forwarding to indexer group sid_9997 blocked for 1600 seconds.
08-16-2016 02:08:50.978 +0000 WARN  TcpOutputProc - Cooked connection to ip=*.*.*.*:9997 timed out
08-16-2016 02:09:11.981 +0000 WARN  TcpOutputProc - Cooked connection to ip=*.*.*.*:9997 timed out

When I do Telnet, 9 times out of 10, I get a timeout. Is there any config I can tune up or the heavy forwarders need to be resized? The CPU usage is less than 10%. Any suggestions?

hardikJsheth · ‎08-15-2016

This seems to be problem with routing taken to reach the forwarder rather than Splunk or CPU usage. Can you verify entries in routing table?

Why am I getting timeout issues from Splunk forwarders to the intermediate heavy forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation