Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why did universal forwarder stop forwarding data?

Eshwar
Engager
‎06-13-2023 12:19 AM

Hi Community,

We have installed Universal forwarder on windows 2019 server and were able to get the data into Splunk. Since yesterday, the Universal forwarder stopped forwarding data to the indexer. No change in Network and configuration. We have identified below error while troubleshooting the issue. 

ERROR TcpOutputFd [4124 TcpOutEloop] - Connection to host=xx.xx.xx.xx:9997 failed
06-13-2023 00:11:28.769 -0700 WARN AutoLoadBalancedConnectionStrategy [4124 TcpOutEloop] - Applying quarantine to ip=xx.xx.xx.xx port=9997 connid=0 _numberOfFailures=2
06-13-2023 00:11:47.944 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1300. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
06-13-2023 00:12:02.123 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49
06-13-2023 00:13:02.167 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49
06-13-2023 00:13:28.222 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1400. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.
06-13-2023 00:14:02.186 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49
06-13-2023 00:15:02.197 -0700 INFO HttpPubSubConnection [4976 HttpClientPollingThread_D1664EB5-096A-4F59-8E50-70D7FB5CDD49] - Running phone uri=/services/broker/phonehome/connection_xx.xx.xx.xx_8089_xx.xx.xx.xx_hostname1_D1664EB5-096A-4F59-8E50-70D7FB5CDD49
06-13-2023 00:15:08.542 -0700 WARN TcpOutputProc [7272 parsing] - The TCP output processor has paused the data flow. Forwarding to host_dest=xx.xx.xx.xx inside output group default-autolb-group from host_src=hostname1 has been blocked for blocked_seconds=1500. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data.

Please help us to resolve the issue.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-13-2023 05:48 AM

The first log message is key: the UF lost the connection to the indexer.  Verify the indexer is still running and using port 9997.  Confirm the UF is allowed to connect to that address and port.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Eshwar
Engager
‎06-13-2023 06:01 AM

Hi @richgalloway,

Yes, Indexer is running and other universal forwarders sending data to indexer. while doing telnet on port 9997 from universal forwarder then it refusing the connection. We have disabled firewall in both servers.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-13-2023 07:33 AM

Have you tried restarting the UF?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-13-2023 06:36 AM

When you said "refused connection" what you are actually meaning? Did it drop the connection, refused it or was it splunkd which are refused it?

What you are founding on splunkd.log on indexer side?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...