Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwarder

SN1
Path Finder
‎02-06-2025 07:58 AM

hello we are unable to receive logs from forwarders from 29 january. i checked splund.log and found this error
ERROR TcpOutputFd [110883 TcpOutEloop] - Connection to host=<ip>:port failed

what should I do?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2025 08:06 AM

Hi @SN1 ,

probably that day someone closed the firewall port between Forwarder and Indexer.

The port should be 9997.

if this is the port, you can try using telnet from the Forwarder:

telnet <host_ip> <port>

Ciao.

Giuseppe

0 Karma
Reply

SN1
Path Finder
‎02-06-2025 08:27 PM

hello after this command on deployment server it is showing this error


telnet: Unable to connect to remote host: Connection refused

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎02-06-2025 10:22 PM

Hi @SN1 

telent command need to run on forwader as mentioned by @gcusello and also hope you followed stpes menioned by @livehybrid 


0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎02-06-2025 08:04 AM

The error you're seeing suggests a network connectivity issue between your forwarder and the receiving Splunk instance (likely an Indexer or Heavy Forwarder).

Here are some steps to troubleshoot:

Verify network connectivity: -

  • Can you connect to the destination host from the forwarder (Try using netcat with something like `nc -vz -w1 <destinationIP> <destinationPort>`
  • Is the specified port open and accessible on the destination server (Is Splunk listening?)
  • Are any other hosts able to connect and send data?
  • Check firewall rules: - Ensure no firewall is blocking the connection on either end.
  • Verify Splunk configurations: - On the forwarder, check outputs.conf for correct destination settings. - On the receiving end, verify inputs.conf for proper port configurations.
  • Restart Splunk services: - Sometimes a restart can resolve connectivity issues, try restarting the forwarder, if no progress then try restart Splunk on the receiver to confirm it is working correctly.
  • Check for any recent network changes - Were there any infrastructure modifications around January 29th?

Please let me know how you get on and consider upvoting/karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...