Monitoring Splunk

ERROR TcpOutputFd [TcpOutEloop] - Read error. An existing connection was forcibly closed by the remote host.

Balshore
Loves-to-Learn

ERROR TcpOutputFd [TcpOutEloop] - Read error. An existing connection was forcibly closed by the remote host.

I have this error on one of our Splunk Windows UF, and I cannot resolve the issue.

our setup is UF>Intermediate HF>HF>Indexer

1. Connection from the UF to the intermediate HF port 9997 is okay, using tnc.

2. tried re installing the UF and restarting the Intermediate HF but still no success.

3. I noticed that from intermediate HF, its only sending SYN_RECV packets to UF.

 

Please help to check.
balshore

 

 

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The error itself means just what it says - the other end of the connection shut the connection before your end completed what it was doing (and maybe shut the connection on your end).

The actual cause might vary - it might be due to the other end getting "clogged" (probable if the connection is getting closed sometimes but generally works). It might be because of TLS mismatch (so your end initiates the connection but cannot complete the TLS negotiation).

You should look for more info in logs on both sides of the connection.

0 Karma

Balshore
Loves-to-Learn

Thanks for your reply.

I’ve been reviewing the splunkd.log, specifically searching for keywords such as “blocked”, “full”, “tcpin”, “error”, and “warn”. However, I haven’t been able to find any logs indicating errors related to the UF.

To provide more context, I have already successfully onboarded around 100 UFs, and this appears to be the only one encountering issues.

I also removed the inputs on the UF side to help isolate whether this could be an ingestion-related issue, but the problem persists.

Thanks,
Balshore

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Does it happen in mid-connection or are you unable to establish any connectivity at all? Are you getting any logs from this UF?

If not, that would suggest either network problems or TLS mismatch (which is fairly unlikely if you have standardized config, to be honest).

If you're not getting any data at all, there is also a possibility of another quite nasty to debug issue - a IPS-like device in your network path. I've seen situations where an IPS (everyone had forgotten about) was detecting "incorrect" certificates and was sending TCP RST to both ends of the connection). That's an ugly one because on both ends it looks like the other end just closed the connection without any apparent reason. And on the network level you're getting a TCP RST packet from the other end and that's it.

0 Karma

Balshore
Loves-to-Learn

Thanks for the reply.

Actually we are not using any TLS or SSL connection from UF to Intermediate HF.

When I run the ./spunk list forward-server, the HF is inactive.

When I did the tcpdump, the HF is only sending SYN_RECV packets. Other UFs are established.

Last resort would be rebooting the UF servers already. (I already reinstall the UF agent)

Thanks,

Balshore

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...