Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

universal forwarder matrics.log eventtype=connect_fail message and log not ingesting

msplunk33
Path Finder
‎10-06-2020 05:47 PM

I receive the below error intermixingly in the UF metrics log and indexer is not receiving any log from this host. This error goes after sometime and log automatically start to flow. Please let me know what could be the reason. How I can troubleshoot.

destPort 9996, eventtype=connect_fail , publisher=tcpout  sourcePort=8089 statusee=TcpOutputProcessor

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎10-07-2020 08:26 AM

The fact that this is intermittent and goes away after a while is really interesting. 

You may be well served by searching additional Splunk logs, both during periods where it's not communicating, and also and especially at that point when it starts communicating.  What does your _internal index say just before and during that period where it starts working?

If that's not helping you find the cause, I'd suggest starting with the below "general" links and seeing what the basic troubleshooting gets you.

The first is from another question and answer in here, and seems pretty complete.

https://community.splunk.com/t5/Getting-Data-In/What-are-the-basic-troubleshooting-steps-in-case-of-...

The second is from conf 2017 and is for Linux forwarders, so I'm not sure it'll apply to Windows (and also I'm not sure you are Windows or Linux for this uf!)  (BTW - conf 2020 is only a few weeks away and you should register, it's free this year!)

https://conf.splunk.com/files/2017/slides/troubleshooting-universal-forwarder-on-linux.pdf

The last is a short, official Splunk Doc on forwarder troubleshooting.  It doesn't go into a lot of depth, but still has a few things to check.

https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/Troubleshoottheuniversalforwarder

Let us know how you get along with this, or if you find any smoking guns or even can provide additional information - the ports involved, confirmation with telnet the firewall isn't being stupid, the version of Splunk, the version of the UF, the operating system each is running on, etc...

 

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...