Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

universal forwarder matrics.log eventtype=connect_fail message and log not ingesting

msplunk33
Path Finder
‎10-06-2020 05:47 PM

I receive the below error intermixingly in the UF metrics log and indexer is not receiving any log from this host. This error goes after sometime and log automatically start to flow. Please let me know what could be the reason. How I can troubleshoot.

destPort 9996, eventtype=connect_fail , publisher=tcpout  sourcePort=8089 statusee=TcpOutputProcessor

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-07-2020 08:26 AM

The fact that this is intermittent and goes away after a while is really interesting. 

You may be well served by searching additional Splunk logs, both during periods where it's not communicating, and also and especially at that point when it starts communicating.  What does your _internal index say just before and during that period where it starts working?

If that's not helping you find the cause, I'd suggest starting with the below "general" links and seeing what the basic troubleshooting gets you.

The first is from another question and answer in here, and seems pretty complete.

https://community.splunk.com/t5/Getting-Data-In/What-are-the-basic-troubleshooting-steps-in-case-of-...

The second is from conf 2017 and is for Linux forwarders, so I'm not sure it'll apply to Windows (and also I'm not sure you are Windows or Linux for this uf!)  (BTW - conf 2020 is only a few weeks away and you should register, it's free this year!)

https://conf.splunk.com/files/2017/slides/troubleshooting-universal-forwarder-on-linux.pdf

The last is a short, official Splunk Doc on forwarder troubleshooting.  It doesn't go into a lot of depth, but still has a few things to check.

https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Troubleshoottheuniversalforwarder

Let us know how you get along with this, or if you find any smoking guns or even can provide additional information - the ports involved, confirmation with telnet the firewall isn't being stupid, the version of Splunk, the version of the UF, the operating system each is running on, etc...

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...