Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

universal forwarder matrics.log eventtype=connect_fail message and log not ingesting

msplunk33
Path Finder
‎10-06-2020 05:47 PM

I receive the below error intermixingly in the UF metrics log and indexer is not receiving any log from this host. This error goes after sometime and log automatically start to flow. Please let me know what could be the reason. How I can troubleshoot.

destPort 9996, eventtype=connect_fail , publisher=tcpout  sourcePort=8089 statusee=TcpOutputProcessor

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-07-2020 08:26 AM

The fact that this is intermittent and goes away after a while is really interesting. 

You may be well served by searching additional Splunk logs, both during periods where it's not communicating, and also and especially at that point when it starts communicating.  What does your _internal index say just before and during that period where it starts working?

If that's not helping you find the cause, I'd suggest starting with the below "general" links and seeing what the basic troubleshooting gets you.

The first is from another question and answer in here, and seems pretty complete.

https://community.splunk.com/t5/Getting-Data-In/What-are-the-basic-troubleshooting-steps-in-case-of-...

The second is from conf 2017 and is for Linux forwarders, so I'm not sure it'll apply to Windows (and also I'm not sure you are Windows or Linux for this uf!)  (BTW - conf 2020 is only a few weeks away and you should register, it's free this year!)

https://conf.splunk.com/files/2017/slides/troubleshooting-universal-forwarder-on-linux.pdf

The last is a short, official Splunk Doc on forwarder troubleshooting.  It doesn't go into a lot of depth, but still has a few things to check.

https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Troubleshoottheuniversalforwarder

Let us know how you get along with this, or if you find any smoking guns or even can provide additional information - the ports involved, confirmation with telnet the firewall isn't being stupid, the version of Splunk, the version of the UF, the operating system each is running on, etc...

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...