Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forwarder

SN1
Path Finder
‎02-06-2025 07:58 AM

hello we are unable to receive logs from forwarders from 29 january. i checked splund.log and found this error
ERROR TcpOutputFd [110883 TcpOutEloop] - Connection to host=<ip>:port failed

what should I do?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2025 08:06 AM

Hi @SN1 ,

probably that day someone closed the firewall port between Forwarder and Indexer.

The port should be 9997.

if this is the port, you can try using telnet from the Forwarder:

telnet <host_ip> <port>

Ciao.

Giuseppe

0 Karma
Reply

SN1
Path Finder
‎02-06-2025 08:27 PM

hello after this command on deployment server it is showing this error


telnet: Unable to connect to remote host: Connection refused

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎02-06-2025 10:22 PM

Hi @SN1 

telent command need to run on forwader as mentioned by @gcusello and also hope you followed stpes menioned by @livehybrid 


0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-06-2025 08:04 AM

The error you're seeing suggests a network connectivity issue between your forwarder and the receiving Splunk instance (likely an Indexer or Heavy Forwarder).

Here are some steps to troubleshoot:

Verify network connectivity: -

  • Can you connect to the destination host from the forwarder (Try using netcat with something like `nc -vz -w1 <destinationIP> <destinationPort>`
  • Is the specified port open and accessible on the destination server (Is Splunk listening?)
  • Are any other hosts able to connect and send data?
  • Check firewall rules: - Ensure no firewall is blocking the connection on either end.
  • Verify Splunk configurations: - On the forwarder, check outputs.conf for correct destination settings. - On the receiving end, verify inputs.conf for proper port configurations.
  • Restart Splunk services: - Sometimes a restart can resolve connectivity issues, try restarting the forwarder, if no progress then try restart Splunk on the receiver to confirm it is working correctly.
  • Check for any recent network changes - Were there any infrastructure modifications around January 29th?

Please let me know how you get on and consider upvoting/karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...